Changes

=== ClearContainers MIG Agent sandboxing ===* Mozilla Advisor: [https://mozillians.org/en-US/u/kang/ Guillaume Destuynder] and [https://mozillians.org/en-US/u/alm/ Aaron Meihm]* Difficulty: mediumhigh

Port clear containers for easy AWS deployment, dockerfile support [http://mig.mozilla.org Mozilla InvestiGator (?MIG)] is a digital forensics platform used by Mozilla to monitor the security of servers. MIG deploys an agent on systems that is used to maintain the security of the infrastructure. The agent currently runs as root in order to run investigation modules that have low-level access to the system. The goal of this project is to sandbox the MIG Agent in a way that allows each part to perform investigative work while having as little privileges as possible. The team will have to use the [https:** qemu "lite"** qboot bios** DAX / recent kernelClear containers are light-vms with KVM/vt-x supporten.wikipedia.org/wiki/Seccomp Linux Seccomp] mechanism, and shared memory area for disk io (via DAX)See also httpthe existing [https://downloadchromium.clearlinuxgooglesource.orgcom/chromiumos/platform/go-seccomp/releases+/master Go library], to implement a sandbox in the Agent. If possible, the team will also evaluate sandboxing on MacOS and Windows.