|
|
|
|
|
|
by raesene9
1710 days ago
|
|
|
That's very true, although I think there's a difference in attack surface size between the three isolation options (process based, sandbox based, hypervisor based). I think the challenge for process isolation container based stacks (as I'm sure you know :) ) is that there's multiple components/groups involved in security and then there's co-ordination with the underlying Linux kernel as well, which makes things tricky, as Linux kernel devs will have potentially differing goals to the container people (e.g. the challenges about how to handle the interaction of new syscalls and seccomp filters) If you compare that to something like gVisor, where there's essentially a single group responsible for creating/maintaining the sandbox, it's an easier task for them. |
|
|