undefined | Better HN

0 pointsyencabulator1y ago0 comments

> One of the advantages of a thin kernel interface to something like Linux is really low overhead and low implementation burden for Wasm engines.

Such a low burden that both Google (gVisor) and Microsoft (WLS1) failed at it!

0 comments

titzer1y ago

A thin kernel interface isn't a reimplementation of a kernel. The WALI implementation in WAMR is ~2000 lines of C, most of which is just pass-through system calls.

yencabulatorOP1y ago

Okay, so you mean forwarding the syscalls, not implementing them, and thus throwing away the wasm sandbox.

titzer1y ago

It does not throw away the Wasm sandbox. Sandboxing means two things: memory sandboxing and system sandboxing. It retains the former. For the latter you can apply the same kinds of sandboxing policies as native processes and achieve the same effect, or even do it more efficiently in-process by the engine, and do interposition and whitelist/blacklisting more robustly than, e.g. seccomp.

1 more reply

j / k navigate · click thread line to collapse

0 pointsyencabulator1y ago0 comments

> One of the advantages of a thin kernel interface to something like Linux is really low overhead and low implementation burden for Wasm engines.

Such a low burden that both Google (gVisor) and Microsoft (WLS1) failed at it!

0 comments

titzer1y ago

A thin kernel interface isn't a reimplementation of a kernel. The WALI implementation in WAMR is ~2000 lines of C, most of which is just pass-through system calls.

yencabulatorOP1y ago

Okay, so you mean forwarding the syscalls, not implementing them, and thus throwing away the wasm sandbox.

titzer1y ago

1 more reply

j / k navigate · click thread line to collapse