Wikifunctions relies on containers as the sole sandboxing mechanism for executing user-controlled code. This is unwise, because code running in containers still has access to the host kernel via syscalls, and can escape the container by exploiting vulnerabilities in the Linux kernel. gVisor provides an additional layer of protection by intercepting and monitoring all system calls made by the application in user space.
TODO:
- Configure Beta Cluster instance of function-evaluator to run under GVisor.
- Configure production instance of function-evaluator to run under GVisor.