It's actually not in that old tech report, nor in the final version being submitted to USENIX due to space constraints, but was in intermediate versions and has always been in the talks I've given on it, where I basically stated up front that we were concerned about exploits like the run of PDF exploits, but if you are concerned about the kernel being exploited as well that would need a different container approach being container's don't provide isolated kernels.
so I'll agree with
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds