|
|
|
|
|
|
by kevin_nisbet
698 days ago
|
|
|
I'm not sure this is correct, I suspect this works on a similar principal as something like gvisor where as I understand it syscalls are redirected to another userspace program. In gvisors case the kernel basically get's re-implemented in user-space to provide the secure container like implementation. Also, as I recall some of the kernel based syscall based sandboxing have had a number of issues with dealing with some of the syscalls. |
|
|