CME-701

Sandboxing / gVisor Runtime

Isolate Application High Confidence

Description

Application-level kernel emulation (gVisor) or VM-based isolation (Kata Containers) that intercepts syscalls and prevents direct host kernel interaction. Provides defense-in-depth for container isolation.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Container interacts with gVisor sentry, not host kernel; container escape requires breaking through gVisor first

CWE Relationships

CWE-269 CWE-119

Verification

Check container runtime class

$ kubectl get pod <pod> -o jsonpath='{.spec.runtimeClassName}'
# Expected: gvisor
Platform: kubernetes
$ podman inspect <container> | grep runtime
# Expected: runsc|kata
Platform: linux
← CME-604: Unprivileged User Namespaces Disabled CME-702: Linux Namespaces (User, PID, Network, Mount) →