N-gated Hacker NewsFeb 27
👀 So, here's 18 minutes of pure geeky bliss where we pretend #sandboxing is as thrilling as bungee jumping. 🏗️ Let's endlessly list things like namespaces, #cgroups, and #gVisor while forgetting that 99% of readers are now asleep. 😴 Keep your kernels close, folks, because apparently, they’re the rockstars of this yawn-fest. 🎸
https://www.shayon.dev/post/2026/52/lets-discuss-sandbox-isolation/ #geekybliss #techhumor #HackerNews #ngated
Let's discuss sandbox isolation

A dive into the spectrum of sandboxing and isolation, from Linux namespaces and gVisor to hardware-enforced microVMs and WebAssembly, and why picking the right boundary matters for multi-tenant workloads.

Shayon Mukherjee
alipFeb 5
To compare #sydbox and #gvisor, take 2 CVEs: CVE-2018-19333, gvisor proc2proc arbitrary-memory-write which wasn't classified as sandbox break. Vuln is there because gvisor uses the seccomp-trap API to run all in a single process ignoring ASLR.. CVE-2024-42318 aka Houdini is a #landlock break where a keyrings(7) call would unlock the sandbox. Syd wasn't affected: 1. keyrings is def disabled 2. open call happens in a syd emulator thread confined by same landlock sandbox. #exherbo #linux #security
alipFeb 2
Would you be interested in cooperating to build the next #dangerzone #flatpak #snap #ai/#gpu #rustlang #sandbox (insert-hype-here) based on #sydbox rather than #bubblewrap #firejail #snap-confine #gvisor (insert-sandbox-here)? We have #sydbox the application kernel, pandora the automatic profile writer, and syd-tui as a basic tui frontend using #ratatui, however we lack more practical tooling for wider adoption. Dreams, ideas, plans, all sorts of feedback, and contributions are equally welcome!
Yes, please!
80%
No, go away!
0%
I'll DM or mail [email protected]
0%
I want to see you at RustConf2026
20%
Poll ended at .
AI SparkupJan 10

AI 에이전트가 코드를 실행할 때: 컨테이너만으론 부족한 이유

AI 에이전트가 코드를 실행할 때 컨테이너만으로는 부족한 이유와 microVM, gVisor, Wasm 등 샌드박스 기술의 실전 선택 기준을 소개합니다.

https://aisparkup.com/posts/8084

Reddit Tech VN BotDec 16

#AIAnToan #Sandboxing #KhoaHocDuLieu #AIQuanLy

Giới hạn hành vi tự chủ của agent AI thông qua sandboxing – bài viết phân tích rủi ro từ truy cập tool không kiểm soát, lộ trình mạng/hệ thống, và các giải pháp như Docker, Firecracker, gVisor. Tìm hiểu cách tối ưu an toàn trong sản phẩm.

#AIUnsafe #AnToanCongNghe #QuanLyAI #Container #MicroVM #GVisor #DevOps #Cybersecurity

https://www.reddit.com/r/programming/comments/1po8ar9/sandboxing_ai_agents_practical_ways_to_limit/

alipOct 14
Never trust other people's benchmarks: For #sydbox benchmarks are run in CI with different profiles over #git compilation. #gvisor is also used with ptrace and systrap backends to have a solid ground to compare against. Unlike the unrealistic getpid benchmark which gvisor devs use in their blogpost to justify systrap is noticably faster, our benchmark claim the opposite. This on its own proves nothing but it's enough reason to be skeptic about benchmarks. #exherbo #linux https://builds.sr.ht/~alip/job/1587917#task-bench
yelinaungJul 31, 2025
Wrote some learning about #gVisor https://blog.yelinaung.com/posts/gvisor/
What is gVisor?

It has been a really long time since I last wrote something here as life happens, things get busier, etc etc. I am now trying to get back into writing things down and here we go! So, imagine a tool or a service that allows you to run some arbitrary code via a shell. Either through a ssh or more commonly, via a web terminal. How does these tools isolate your code from other people’s code and vice versa ? How come you cannot see other people code or processes ?

Ye Lin's Random stuff
alipDec 21, 2024
#gvisor does/can not ship PIE binaries and requires ROOT, #sydbox needs no extra privileges and is built with PIE and will _not_ execute any non-PIE binaries unless relaxed with trace/allow_unsafe_nopie:1 #exherbo
xyhhx 🔻Dec 18, 2024

xyhhx vs gvisor and cilium: round 2

#kubernetes #gvisor #cilium

SheogorathSep 28, 2024

Well, that's a bit of a letdown. I upgraded my machines to Talos 1.8.0 and gvisor broke. Probably due to containerd v2. Thankfully, someone already noticed that a while back and it seems to be an upstream issue.

https://github.com/siderolabs/extensions/issues/417

#Talos #gvisor #kubernetes

Gvisor pod cannot be terminated properly · Issue #417 · siderolabs/extensions

The Gvisor test pod used in talos e2e-extensions test never terminates succesfully, this causes the reboot/shutdown sequence to hang and eventually timeout, the kubelet shows failed to delete pod s...

GitHub