HackerTrans
TopNewTrendsCommentsPastAskShowJobs

kang1

no profile record

comments

kang1
·12개월 전·discuss
gvisor is difficult to implement in practice. it a syscall proxy rather than a virtualization mechanism (even thus it does have kvm calls).

This causes a few issues: - the proxying can be slightly slower - its not a vm, so you cannot use things such as confidential compute (memory encryption) - you can't instrument all syscalls, actually (most work, but there's a few edges cases where it wont and a vm will work just fine)

On the flip side, some potential kernel vulnerabilities will be blocked by gvisor, while it wont in a vm (where it wouldnt be a hypervisor escape, but you'd be able to run code as the kernel).

This is to say: there are some good use cases for gVisor, and there's less of these than for (micro) vms in general.

Google developed both gVisor and crosvm (firecracker and others are based on it) and uses both in different products.

AFAIK, there isn't a ton of gVisor use internally if its not already in the product, though some use it in Borg (they have a "sandbox multiplexer" called vanadium where you can pick and choose your isolation mechanism)
kang1
·12개월 전·discuss
not really, its just attack surface reduction
kang1
·12개월 전·discuss
no ;) (though you could start it there if you wanted, but.. why)

LD_PRELOAD simply loads a library of your choice that executes code in the process context, that's all. folks usually do this when they cannot recompile or change the running binary, which means they also hook and/or overwrite functions of the said program.

generally folks will have gvisor calls integrated to their sandbox code, before the target process starts, so no need for preloading anything in most cases