Instead of filtering syscalls to the host kernel, gVisor interposes a completely separate kernel implementation called the Sentry between the untrusted code and the host. The Sentry does not access the host filesystem directly; instead, a separate process called the Gofer handles file operations on the Sentry’s behalf, communicating over a restricted protocol. This means even the Sentry’s own file access is mediated.
Anna Jameson,North Westand
。关于这个话题,服务器推荐提供了深入分析
圖像來源,China News Service,这一点在heLLoword翻译官方下载中也有详细论述
let totalBytes = 0;