Please provide a low level C library for use of VM functions in other sandboxing tools #5440
Description
Description
Firejail is a sandboxing program which uses for example seccomp and namespaces to contain applications. It would be awesome to include virtualization to Firejail, for example in cooperation with gVisor. Virtualization could be used for deeper system call interception by referencing the pointers, flushing caches at system calls or even filtering low level CPU instructions and messing with page tables to protect for example from Spectre-class speculative execution attacks.
Is this feature related to a specific bug?
I didn't find previous issues related to this request.
Do you have a specific solution in mind?
It seems that gVisor only provides very high level interfaces like executing runsc or writing OCI config files and gVisor also duplicates some functionality provided by Firejail, like network or file system filtering. For Firejail the interface should be much lower and there should be methods to handle system calls with Firejail provided methods, for example plugins. So ideally gVisor should provide a low level C library for setting up the VM, and then for example binary plugin interface for intercepting system calls. The plugins should be able to access the memory inside the VM and deny/allow the system call.