|
|
|
|
|
|
by camuel
5199 days ago
|
|
|
There are two techniques for resources isolation: 1. Filtering all resources accesses, letting some pass and others denied. 2. Enforcing different abstraction and then unwanted resources accesses become impossible as they are not even addressable. Filtering is by definition less secure. As filtering get more complicated there would be false negatives and false positives. Both are harmful. Enforcing different abstraction is usually less efficient as there is a need to simulate hardware devices. However, some devices have hardware support for virtualization as with Intel CPUs and MR-IOV devices and then enforcing abstraction is free. LXC/OpenVZ uses mostly #1 XEN/KVM uses mostly #2 |
|
|