
Using the KVM API - ingve
http://lwn.net/Articles/658511/
======
winter_blue
_" A virtual machine using KVM need not run a complete operating system or
emulate a full suite of hardware devices. Using the KVM API, a program can run
code inside a sandbox and provide arbitrary virtual hardware interfaces to
that sandbox."_

This is amazing. If you're building something platform-level, like for e.g.
NaCl, I presume you could use the KVM API to provide stronger isolation beyond
the standard limited isolation of a regular Linux process.

~~~
walterbell
See also Cappsule, for launching Linux applications in VMs,
[https://cappsule.github.io](https://cappsule.github.io)

 _" Cappsule is a new kind of hypervisor developed by Quarkslab (to our
knowledge, there’s no similar public project). Its goal is to virtualize any
software on the fly (e.g. web browser, office suite, media player) into
lightweight VMs called cappsules. Attacks are confined inside cappsules and
therefore don’t have any impact on the host OS. Applications don’t need to be
repackaged, and their usage remain the same for the end user: it’s completely
transparent. Moreover, the OS doesn’t need to be reinstalled nor modified._"

~~~
iamcreasy
Is it similar to Spikes Security's Malware Isolation?

~~~
walterbell
That seems to run browser sessions in VMs on network appliances, then it sends
a processed (?) version to endpoints.

Cappsule is currently targeted at Linux desktops. It could theoretically be
used on a Linux server to implement the isolation component of Spikes
Security, but additional functionality would be needed to generate the "safe"
version of content for endpoints, or to forward pixels to thin clients.

------
kashyapc
Related: KVM / QEMU technical architectural overview slides by Stefan
Hajnoczi, one of the QEMU maintainers. (No talk recording, unfortunately--
pity, he's an excellent speaker).

    
    
      http://vmsplice.net/~stefan/qemu-kvm-architecture-2015.pdf

------
JoshTriplett
Fun to see renewed attention to this article recently. Happy to answer any
questions.

------
zokier
I think this is one of my favorite articles demonstrating the application of
"everything is a file" principle in Linux. Most people think of files as
something with a path, and something you read and write to, commonly in a
relatively streaming fashion. But as the article demonstrates with KVM API
there is more than that in how files are used in Linux.

