You mentioned SECCOMP_RET_TRACE, but there is also SECCOMP_RET_TRAP[1] which appears to perform bett...

coppsilgold • today at 7:03 AM • 1 reply • view on HN

You mentioned SECCOMP_RET_TRACE, but there is also SECCOMP_RET_TRAP[1] which appears to perform better. There is also KVM. Both of these are options for gVisor: <https://github.com/google/gvisor>

[1] <https://github.com/google/gvisor/blob/master/pkg/sentry/plat...>

Replies

monocasa • today at 7:11 AM

There's also SECCOMP_RET_USER_NOTIF, which is typically used by container runtimes for their sandboxing.

➕ show 1 reply

alt Hacker News

Replies