Overview of sVirt and sandboxing through virtualization

Registered by Eric Blake

This blueprint has been superseded. See the newer blueprint "Building application sandboxes on top of LXC and KVM with libvirt" for updated plans.

This session will provide an overview of the recent virt-sandbox project, which aims to provide sandboxing of applications via the use of lightweight guests (both KVM and LXC). Discussion will cover techniques such as sVirt (use of SELinux labeling to prevent the sandboxed guest from altering unauthorized resources in the host) and plan9 filesystem sharing (to allow the guest to share a specified portion of the host file system), as well as any ideas for how to reduce the time taken for a host to start a sandboxed application.

Topic Lead: Eric Blake
Eric is currently a primary contributor to the libvirt project, which presents a unified management interface into multiple virtualization technologies, such as KVM, LXC, and Xen. He is also active in the Austin Group for developing POSIX interfaces, as well as a contributor to the gnulib project for providing ports of POSIX and other interfaces to a large variety of platforms.

Blueprint information

Status:
Complete
Approver:
None
Priority:
Undefined
Drafter:
None
Direction:
Needs approval
Assignee:
None
Definition:
Superseded
Series goal:
None
Implementation:
Unknown
Milestone target:
None
Completed by
Eric Blake

Related branches

Sprints

Whiteboard

(?)

Work Items

This blueprint contains Public information 
Everyone can see this information.