gVisor implements a subset of the Linux syscall surface in user space, intercepting container syscalls and forwarding only safe ones to the host. Stronger than vanilla Docker sandboxing for adversarial workloads. Used by IronClaw and several enterprise self-hosted AI deployments.
Related terms
Found a definition that's wrong, dated or could be sharper? Email us — we update with attribution unless you'd rather we didn't.