Skip to content

Sandbox-gVisor/Sandbox

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

8,969 Commits
.buildkite
.buildkite
 
 
.github
.github
 
 
.idea
.idea
 
 
.vscode
.vscode
 
 
debian
debian
 
 
examples
examples
 
 
g3doc
g3doc
 
 
images
images
 
 
pkg
pkg
 
 
runsc
runsc
 
 
shim
shim
 
 
test
test
 
 
tools
tools
 
 
vdso
vdso
 
 
webhook
webhook
 
 
website
website
 
 
.bazelignore
.bazelignore
 
 
.bazelrc
.bazelrc
 
 
.devcontainer.json
.devcontainer.json
 
 
.gitignore
.gitignore
 
 
AUTHORS
AUTHORS
 
 
BUILD
BUILD
 
 
CODE_OF_CONDUCT.md
CODE_OF_CONDUCT.md
 
 
CONTRIBUTING.md
CONTRIBUTING.md
 
 
GOVERNANCE.md
GOVERNANCE.md
 
 
LICENSE
LICENSE
 
 
Makefile
Makefile
 
 
README.md
README.md
 
 
SECURITY.md
SECURITY.md
 
 
WORKSPACE
WORKSPACE
 
 
go.mod
go.mod
 
 
go.sum
go.sum
 
 
gvisor_api.yml
gvisor_api.yml
 
 
init_script.sh
init_script.sh
 
 
nogo.yaml
nogo.yaml
 
 
run_script.sh
run_script.sh
 
 

Repository files navigation

gVisor

gVisor Sandbox

Original repository https://github.com/google/gvisor

JavaScript Engine for System Call Handlers

Introduction

In this project, we have undertaken the task of patching gVisor, an open-source container runtime sandbox, to integrate a JavaScript (JS) engine. The JS engine allows us to execute custom system call handlers written in JavaScript (which are called hooks). Hooks provide us with valuable information about the running processes, system calls, and their arguments. Additionally, we can use our custom functions called "accessors" to modify specific values within the system call handling process.

Motivation

The motivation behind this project was to extend the capabilities of gVisor and enable more flexible and dynamic handling of system calls. With the JS engine integration, we sought to gain insights into the inner workings of processes, manipulate system call arguments, and control system call behavior, all using JavaScript code.

Documentation and examples

May be found in examples/gWisord/ or just click here

Quick launch

Run:

./init_script.sh your_config.json // this will build and run gVisor by using builtin command runsc do

more about configuration file may be found here

If you have already built the gvisor, you may run:

./run_script your_config.json

Conclusion

The successful integration of a JavaScript engine into gVisor has significantly enhanced its capabilities by enabling the use of custom JavaScript-based system call handlers. These handlers empower us to extract vital information about processes, manipulate system call arguments, and control system call behavior. The flexibility offered by the accessors further allows for dynamic customization, making gVisor an even more powerful and versatile container runtime sandbox.

The potential applications of this patch range from debugging and monitoring to security analysis and testing, making it a valuable addition to gVisor's feature set. Further development and testing will continue to refine the system and explore additional use cases.

About

Sberlab project

Resources

Readme

License

Apache-2.0 license

Code of conduct

Code of conduct

Security policy

Security policy
Activity
Custom properties

Stars

3 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 47
+ 33 contributors

Languages