3个逻辑学家走进酒吧。酒保问:“你们都要啤酒吗?”
Instead of filtering syscalls to the host kernel, gVisor interposes a completely separate kernel implementation called the Sentry between the untrusted code and the host. The Sentry does not access the host filesystem directly; instead, a separate process called the Gofer handles file operations on the Sentry’s behalf, communicating over a restricted protocol. This means even the Sentry’s own file access is mediated.
,更多细节参见夫子
Corrado Nai has a Ph.D. in microbiology and is a science writer with bylines in New Scientist, Smithsonian Magazine, Small Things Considered, Asimov Press, and many more. He is currently writing a graphic novel about Fanny Angelina Hesse and the introduction of agar in the lab called The Dessert that Changed the World, which can be followed and supported on Patreon.
Global news & analysis
10 monthly gift articles to share