468 B
468 B
Linux mapping notes (draft)
Isolation domains
- namespaces (pid, net, mount, user) + cgroups.
Capabilities / sandbox
- seccomp for syscall filtering
- LSM (AppArmor/SELinux/Landlock) for policy enforcement
- ambient capabilities should be avoided; prefer explicit capability passing.
Eventing
- epoll + structured logs
- optional auditd hooks
Resource control
- cgroups for CPU/memory/IO
- accelerator scheduling will depend on driver/runtime stack