| ▲ | clawsyndicate 3 days ago | |||||||
since we allow agents to execute arbitrary python, we treat every container as hostile. we've definitely seen logs of agents trying to crawl /proc or hit the k8s metadata api. gvisor intercepts those syscalls so they never actually reach the host kernel. | ||||||||
| ▲ | alexzenla an hour ago | parent | next [-] | |||||||
The reason why virtualization approaches with true Linux kernels is still important is what you do allow via syscalls ultimately does result in a syscall on the host system, even if through layers of indirection. Ultimately, if you fork() in gVisor, that calls fork() on the host (btw fork() execve() is expensive on gVisor still). The middle ground we've built is that a real Linux kernel interfaces with your application in the VM (we call it a zone), but that kernel then can make specialized and specific interface calls to the host system. For example with NVIDIA on gVisor, the ioctl()'s are passed through directly, with NVIDIA driver vulnerabilities that can cause memory corruption, it leads directly into corruption in the host kernel. With our platform at Edera (https://edera.dev), the NVIDIA driver runs in the VM itself, so a memory corruption bug doesn't percolate to other systems. | ||||||||
| ▲ | rootnod3 3 hours ago | parent | prev [-] | |||||||
And you see no problem in that at all? Just “throw a box around it and let the potentially malicious code run”? Wait until they find a hole. Then good luck. | ||||||||
| ||||||||