kentonv
commented
6 years ago Ehh... maybe.
gVisor would add quite a bit of overhead compared to the current containers-only approach. Sandstorm is intended to support lots and lots of grains running at once, and even with containers the resource usage is a lot higher than we'd like.
Meanwhile, we've had a lot of success with our attack surface reduction via seccomp, not mounting /proc, etc. I am not sure we have many examples of real-world cases where gVisor would have saved us from a vulnerability...
gVisor offers a userspace kernel, written in Go, that offers significant Linux kernel API functionality.
Supporting gVisor in Sandstorm looks like it would be beneficial, as it would add an extra barrier to prevent exploiting kernel vulnerabilities in grains - they'd first require a gVisor exploit of some type, and a corresponding Linux kernel exploit.