[raesene9]

There have been a bunch of Linux kernel privesc vulns that can be converted to container breakouts from standard Linux containers, just look at bounties from Google's kCTF (AFAIK they've had 10 different kernel vulns in 2 years)

It's possible to mitigate/reduce them for sure, with appropriate hardening, but the Linux kernel is still quite a big attack surface.

[flangola7]

What about kernels like seL4? I think everyone will abandon monolithic kernels one day because they have too much attack surface.

[yjftsjthsd-h]

Is anyone running normal workloads (node/java/php/python/whatever) on seL4 without sticking Linux in the middle?