undefined | Better HN

0 pointssolatic7y ago0 comments

Yeah but one of the main ways in which gVisor provides security is by intercepting system calls and strictly limiting which calls can be made. Firecracker may use KVM instead of running entirely in usermode, but as far as most of us are concerned, that's an implementation detail. The pertinent question is whether the price of security is limiting the possible system calls, which means that Firecracker won't be able to run arbitrary containers, just as gVisor doesn't guarantee that it can run arbitrary code (which may require filtered system calls).

0 comments

ec1096857y ago

That’s not true. Your guest application has access to all Linux system calls in the guest VM.

You can see here the security model: https://github.com/firecracker-microvm/firecracker/blob/mast...

The firecracker process itself is limited in the system calls it can make, but kvm allows the guest Linux process the ability to expose a full set of system calls to end user applications.

j / k navigate · click thread line to collapse

0 pointssolatic7y ago0 comments

0 comments

ec1096857y ago

That’s not true. Your guest application has access to all Linux system calls in the guest VM.

You can see here the security model: https://github.com/firecracker-microvm/firecracker/blob/mast...

The firecracker process itself is limited in the system calls it can make, but kvm allows the guest Linux process the ability to expose a full set of system calls to end user applications.

j / k navigate · click thread line to collapse