|
|
Subscribe / Log in / New account

Updates in container isolation

Updates in container isolation

Posted May 17, 2018 2:23 UTC (Thu) by thinxer (guest, #121772)
In reply to: Updates in container isolation by anarcat
Parent article: Updates in container isolation

You don't actually worry about the kernel running inside the sandbox. You worry about the sandbox only, which usually has simpler interfaces than the kernel and thus a reduced attack surface.

to post comments

Updates in container isolation

Posted May 17, 2018 14:00 UTC (Thu) by anarcat (subscriber, #66354) [Link]

Right. I probably got this one backwards, apologies.

Still, the way Xen is designed just feels a little backwards to me as the first layer is not actually the hypervisor itself, but a (compatible) kernel that talks with the hypervisor. And yes, that *does* provide an *extra* layer of security at the cost of performance. But Xen's design also means you need a privileged supervisor domain (the dom0 in the case of Xen) is also part of the attack domain now, and I seem to recall that being used as an attack vector in the past, but I could be mistaken there. I think this is where my analogy came from, but I must admit I cannot substantiate this any further and I am forced to recognize that the attack surfaces are comparable with other hypervisor like gVisor, at least conceptually.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds