Can I protect a container with sysbox from root access?

[chankim9321]

Hello! I'm Junior Engineer in system software
I made an application and deployed as a container
I have to protect service container images.. from root access(It can be malicious host or Untrusted OS)
(it is ok to start or stop the container. but I hope that It should be NOT opend.)
I hope that my application should be excuted only in Linux OS but Unfortunately, should be excuted in WSL2 on Windows either.
I already read about security readme file, but I'm not sure It is possible that I said before.
can you guys give me some opinions or any advices?

I'm sorry about my english description(not familiar with eng)

[ctalledo]

Hi @chankim9321, sorry for the late reply.

When you run an app inside a Docker + Sysbox container, you are isolating the app using the Linux user-namespace (i.e., the container has a "fake root" environment, where the root in the container maps to an unprivileged user on the host). In other words, it's harder for the app to breach the host, compared to a regular Docker container.

Having said that, the protection is from app->host, not the other way around. That is, a user that has root on the host can do anything on it, including peeking into the app running inside container.

Not sure if that answers your question or not.

Sysbox runs on Linux, and should also run well as on Windows WSL, though we don't actively test on it.