Linux supports
OS-level virtualization where the Linux Kernel can run multiple independent user spaces, isolating them from each other through separate virtual memory space and system call state.
So does Windows.
It can run a hypervisor host as a way to further manage isolation though.
Not quite. Linux Kernel has a stable user space API which lets you run Docker containers on any Linux distribution and kernel version. Whereas on Windows Server, you need to use
the exact same build of Windows in your container image, otherwise containers will run in a virtual machine with hypervisor-based isolation.
I think it was a simple fix for Microsoft to introduce a hypervisor 'ring -1' in order to split the kernel 'ring 0' address space into 'secured' OS kernel VM and insecure kernel-mode driver VM, so they didn't have to retouch the kernel and make use of features like intermediate
protection rings 1 and 2, available since Intel 80386. Instead they shifted the burden to OEMs who need to test their drivers for compatibility with HVCI code integrity.
Containers have no relation to hypervisor virtualisation or malware protection.]
depends on the container technology
No. Containers were originally designed to bundle server applications with required versions of user-mode libraries and configuration files, but share the main OS kernel and thus use much fewer processor resources than virtual machine instances running full OS images.
https://www.ibm.com/cloud/learn/containers
https://cloud.google.com/containers/
https://www.redhat.com/en/blog/arch...erstanding-user-space-vs-kernel-space-matters
https://www.redhat.com/en/blog/architecting-containers-part-2-why-user-space-matters
https://www.redhat.com/en/blog/arch...art-3-how-user-space-affects-your-application
etc.
So what would be the use of 'app containers' for desktop applications?
If the OS wraps all Windows apps in an 'app container' that includes user-mode OS subsystems (from the same build which allows 'process isolation') to additionally 'sandbox' them, then how that would be different from the way regular Windows OS works with multiple processes? User-mode OS components inside a container would have no additional protection, because they still run in that process' virtual address space, in the same protection ring 3, and all 'sandboxing' depends on security mitigations implemented in regular OS components.
That would make more sense if the OS could include only the required user-mode components in each app 'container', however automatically determining which API and library would be required by that specific process is not trivial, and even UWP apps do not include such detailed declarations.
There's little point in 'Hyper-V isolation', i.e. running app containers in a separate VM, since hypervisor virtualisation has a significant overhead (which is mitigated by the ability to easily launch multiple instances of the container across your server infrastructure), and user-mode apps have no access to kernel mode features like I/O operations in the first place.
https://shatteredsilicon.net/blog/2020/03/19/virtual-performance-or-lack-thereof/
https://petersenna.com/files/peters-top4-virtualization-benchmark-1.29.pdf
https://unrealcontainers.com/docs/concepts/windows-containers#hyper-v-isolation-mode-issues
Linux has more CVE's than Windows does, and they too are still finding new bugs in their code each day.
At least they are not pretending it wasn't their fault so they can put the burden on OEMs and end users. Microsoft is instead forcing
server/enterprise specs for remotely-managed 'secured-core PC' on everyone as their solution.
