this post was submitted on 06 May 2026
29 points (93.9% liked)
Security
2077 readers
16 users here now
A community for discussion about cybersecurity, hacking, cybersecurity news, exploits, bounties etc.
Rules :
- All instance-wide rules apply.
- Keep it totally legal.
- Remember the human, be civil.
- Be helpful, don't be rude.
Icon base by Delapouite under CC BY 3.0 with modifications to add a gradient
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
For a proper sandbox (but also not a VM) on Linux, use Sydbox (or syd-oci). Virtual machines are an obvious choice, like said in the article, but a sandbox offers less overhead. The other issue with a VM is that, while it does isolate the guest from direct access to host resources, it doesn't stop the guest from doing whatever it wants (in the guest OS). The compromised guest could still attack the host or other network attached devices. Virt guests should still be configured with least privilege using a MAC (like SELinux or SMACK), or/and a sandbox policy (like with syd-oci).
Syd's architecture is similar to gvisor, mentioned in the article. It has similar tradeoffs, although I suspect it is more performant (can't find benchmarks) since it is written in rust, rather than go.
Gvisor has some significant performance hits: https://gvisor.dev/docs/architecture_guide/performance/ . microvm/cloud hypervisor/ other vm solutions, with kvm, are around a 95% performance.
The advantage of an application kernel is that it reduces the access a running application has to exploit the kernel. Sure, with a VM the guest runs its own kernel. But the KVM hypervisor is still in the host's kernelspace. Implementing syscalls in userspace while using a safer subset of the kernel's syscalls helps prevent certain attacks. The performance hit is real of course. But syd has different goals than gVisor because it prevents apps from running unless they are given the permissions to do so.