crosvm
nsjail
crosvm | nsjail | |
---|---|---|
7 | 6 | |
725 | 2,785 | |
1.1% | 1.2% | |
9.9 | 7.9 | |
about 14 hours ago | 3 months ago | |
Rust | C++ | |
BSD 3-clause "New" or "Revised" License | Apache License 2.0 |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
crosvm
- Crosvm: The ChromeOS Virtual Machine Monitor
-
I'm releasing cargo-sandbox
The Linux kernel has a huge attack surface, and privilege escalation vulnerabilities abound. This is why https://gvisor.dev/ exists - it's a memory-safe proxy for Linux syscalls. This is also why Chrome OS runs its Linux environment in a custom hypervisor written in Rust instead of containers.
-
Make your QEMU 10 times faster with this one weird trick
Same protocol, but the implementation is at the discretion of whoever writes the server code.
For example I went to check and in crosvm we use a BTreeMap already for Fids for our p9 implementation (thankfully): https://github.com/google/crosvm/blob/main/common/p9/src/ser...
-
Firecracker: Lightweight Virtualization for Serverless Applications (2020)
I'm not sure, but maybe because it started as a fork of crosvm[0]?
[0]: https://github.com/google/crosvm
-
Is the source code for the Terminal app published online somewhere?
However i think what you're looking for is rather backend stuff, maybe take a look at here.
-
Bubblewrap: Unprivileged Sandboxing Tool for Linux
I've also been looking into shipping apps as VM images with a minimal kernel. Do you know if WHPX requires the user to have admin rights? On the host side, Windows and Mac ports of crosvm [1] could be useful. crosvm seems to have all the necessary virtio device types, but a greater focus on security than QEMU.
[1]: https://google.github.io/crosvm/
- Crosvm – The Chrome OS Virtual Machine Monitor
nsjail
-
Server-side sandboxing: Containers and seccomp
So what's the difference between nsjail[1] and bubblewrap[2]?
[1] https://github.com/google/nsjail
- Firejail: Light, featureful and zero-dependency security sandbox for Linux
-
Sandboxing C++, Rust, Python Code?
I am currently working on a code execution engine (also written in Rust) which uses nsjail for sandboxing and gnu time for measuring time and memory usage under the hood. You can run arbitrary code simply using a rest api and there is also a client library for Rust. It can already run C++, Rust and Python (and a few other languages) while allowing you to specify multiple source files, environment variables, command line arguments, standard input and resource limits (e.g. time, memory, maximum number of processes and whether network access is allowed or not). After running the program, the engine reports exit codes, outputs (stdout and stderr) and the amount of resources the program used.
- WebAssembly: Adding Python Support to WASM Language Runtimes
- Notes on Running Containers with Bubblewrap
- Bubblewrap: Unprivileged Sandboxing Tool for Linux
What are some alternatives?
cloud-hypervisor - A Virtual Machine Monitor for modern Cloud workloads. Features include CPU, memory and device hotplug, support for running Windows and Linux guests, device offload with vhost-user and a minimal compact footprint. Written in Rust with a strong focus on security.
bubblewrap - Low-level unprivileged sandboxing tool used by Flatpak and similar projects
qemu - QEMU commit queue for 9P (aka 9pfs) changes only. Please see http://wiki.qemu.org/Contribute/SubmitAPatch for how to submit changes to QEMU. Pull Requests are ignored. Please only use release tarballs from the QEMU website.
RIP - Free,Open-Source,Cross-platform agent and Post-exploiton tool written in Golang and C++.
slog - Structured, contextual, extensible, composable logging for Rust
wasmtime-py - Python WebAssembly runtime powered by Wasmtime
firecracker - Secure and fast microVMs for serverless computing.
logkeys - :memo: :keyboard: A GNU/Linux keylogger that works!
virtiofsd
sandkasten - Run untrusted code in an isolated environment
docker-install - Docker installation script
wasmer-python - 🐍🕸 WebAssembly runtime for Python