You can find many claims online regarding BSD jails being "better" in some way than Linux namespaces for containment, but they typically lack technical details. From what I understand, the attack surface is pretty much equivalent (shared kernel syscalls, drivers in exposed devices, shared networking stack, shared filesystem access and memory pages).
To make this question not opinion based, given a reasonably configured system, so:
- not using host root inside containment
- not sharing extra services/filesystems which can be exploited
- not forwarding more capabilities than necessary for the contained environment
- using current best-practice configuration for either system
Are there any specific vulnerability classes or attack surfaces which are present in recent LXC+cgroups which are mitigated/impossible in (any type of) BSD jails? I'm ignoring here coding bugs related to specific implementations that have immediate fixes - I'm only interested in security problems which are prevented by design in the other solution.
