Well, the boundary between the host and the guest, the system call API, is alway... | Hacker News

Hacker News new | past | comments | ask | show | jobs | submit

login

fwsgonzo 26 days ago | parent | context | favorite | on: Show HN: Ephemeral VMs in 1 Microsecond

Well, the boundary between the host and the guest, the system call API, is always going to be the biggest vector of attacks no matter what the solution used is. But, if you find a problem and fix it, you're back to being safe again, unlike if you don't have any sandboxing at all. You can also put the whole solution in a jail, which is very common nowadays.

jumploops 26 days ago [–]

Can you expand on “put the whole solution in a jail”?

fwsgonzo 26 days ago | | [–]

FireCracker has a jailer: https://github.com/firecracker-microvm/firecracker/blob/main...

jumploops 26 days ago | | | [–]

Ah, this is helpful, thanks!

CartwheelLinux 26 days ago | | [–]

https://wiki.freebsd.org/Jails

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact