-
-
crosvm
The Chrome OS Virtual Machine Monitor - Mirror of https://chromium.googlesource.com/crosvm/crosvm/
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
nsjail
A lightweight process isolation tool that utilizes Linux namespaces, cgroups, rlimits and seccomp-bpf syscall filters, leveraging the Kafel BPF language for enhanced security.
Note that a sandbox escape is often possible via TIOCSTI (CVE-2017-5226) [0] unless a special flag (--new-session) is used.
Bubblewrap is aware of this, yet their documentation gives no indication that this flag is necessary to produce a secure sandbox. In --help, the documentation of --new-session is simply "Create a new terminal session," which severely understates its importance.
It's frustrating to have such a useful tool be knowingly easy to misuse.
[0]: https://github.com/containers/bubblewrap/issues/142
I've also been looking into shipping apps as VM images with a minimal kernel. Do you know if WHPX requires the user to have admin rights? On the host side, Windows and Mac ports of crosvm [1] could be useful. crosvm seems to have all the necessary virtio device types, but a greater focus on security than QEMU.
[1]: https://google.github.io/crosvm/