by andutu on 2/14/24, 10:46 PM with 2 comments
by BobbyTables2 on 2/15/24, 4:41 AM
Is this effectively anything more than a syscall filtered container?
To me, relaying syscalls from a guest in a VM to a host sounds like it is defeating the whole point of the VM!
At least normally a VM doesn’t have direct access to host syscalls — it is confirmed to the emulated block and network devices which (should) provide a constrained means of access.
Container escapes often happen because of exposure to host kernel interfaces (via syscalls!), and kernel file systems such as /sys and /proc (especially /proc/self shenanigans).
I fear they have reinvented a container, much less efficiently.
by kjok on 2/15/24, 5:41 PM