19 lines
468 B
Markdown
19 lines
468 B
Markdown
# Linux mapping notes (draft)
|
|
|
|
## Isolation domains
|
|
- namespaces (pid, net, mount, user) + cgroups.
|
|
|
|
## Capabilities / sandbox
|
|
- seccomp for syscall filtering
|
|
- LSM (AppArmor/SELinux/Landlock) for policy enforcement
|
|
- ambient capabilities should be avoided; prefer explicit capability passing.
|
|
|
|
## Eventing
|
|
- epoll + structured logs
|
|
- optional auditd hooks
|
|
|
|
## Resource control
|
|
- cgroups for CPU/memory/IO
|
|
- accelerator scheduling will depend on driver/runtime stack
|
|
|