Hacker News new | ask | show | jobs
by BrightGlow 1725 days ago
Because the goal was to make an API that works the same both inside the sandbox and outside the sandbox. Edit: It wouldn't work with just processes and namespaces because you need a way to talk to a resource with a privilege level above the current mount namespace.
1 comments
Cloudef 1724 days ago
Right, the child process can't escape the sandbox. I guess IPC here is the only sane choice.
link