1

I learned about gVisor from https://security.stackexchange.com/a/259275/133925 . It runs containers under a custom kernel, written in Go, with very intense security.

My question is: The whole point of Docker is to use the host kernel. How does gVisor run it under a custom kernel of their own?

SRobertJames
  • 245
  • 1
  • 7
  • 1
    How it manages to do this is explained in [the official documentation](https://gvisor.dev/docs/). What part of this don't you understand and what part of this missing understanding is actually relevant for information security? Maybe the sentence which makes the main point is *"gVisor’s approach is similar to User Mode Linux (UML), ..."*. – Steffen Ullrich Feb 03 '22 at 02:41
  • @SteffenUllrich What I don't understand is: How does gVisor swap out the Linux kernel for its user mode kernel? AFAIK everything Docker does is done _via_ the kernel. Moreover, since there's no VMM, how does gVisor catch the `syscall` op and direct it to its usermode app? Won't the CPU act on `syscall` the way it always does: e.g. switching to kernel mode? – SRobertJames Feb 03 '22 at 03:11
  • *"How does gVisor swap out the Linux kernel for its user mode kernel?"* - it doesn't and there is nothing in the linked documentation which suggests this. The user mode kernel is running as a process inside the original kernel. The processes inside docker then run as processes inside this user mode kernel instead of running inside the original kernel. It might be useful if you make yourself familiar with the concept of [user mode linux](https://en.wikipedia.org/wiki/User-mode_Linux). Apart from this - I don't see anything here being about *security*, i.e. the questions seems to be off-topic. – Steffen Ullrich Feb 03 '22 at 03:24
  • @SteffenUllrich gVisor's entire goal is _security_. Understanding how it achieves that is paramount to proper security usage: One should _never_ say "This product provides security -- I don't know how, but it's from Google -- so fire away!" I'm looking for clarity on the means by which gVisor isolates the host Linux kernel behind an application user space kernel written in Go. The security of this isolation is the reason gVisor exists, and it makes sense to understand how it achieves that. – SRobertJames Feb 03 '22 at 22:35
  • You don't ask about the security aspects of gVisor but how it manages to run as kernel - which is not a security aspect. On-topic would be to ask what advantages or disadvantages this approach has security-wise. But that's not what you are asking - instead you are interested in the pure non-security mechanics of how this works. – Steffen Ullrich Feb 04 '22 at 05:09

1 Answers1

0

gVisor’s platform blog post gives an overview of how gVisor intercept application operations.

The short summary is that there are multiple approaches, but the simplest, default mechanism uses the ‘ptrace’ system calls on the host kernel to request all system calls made by the untrusted application are forwarded to the user space kernel rather than being handled by the host kernel.

prattmic
  • 101