WSL hardening #4913
Replies: 1 comment 2 replies
-
|
Rancher Desktop exclusively uses WSL2, which is also a Linux VM running on Hyper-V (though it uses one VM for all Linux distributions — they're separate containers with their own pid/mount/etc. namespaces). WSL1 is the one that attempted to use the Windows kernel to implement the Linux syscall ABI. This is also why we do not offer integration with WSL1 distributions (since we can't just expose things to the I will let the people who actually manage the roadmap discuss the roadmap; I only have guesses there :) |
Beta Was this translation helpful? Give feedback.
-
|
My understanding was that WSL2 used Hyber-V as you mentioned. However, compromises are still made through how the "lightweight utility virtual machine" does networking, filesystem, and other subsystems tied to Windows. |
Beta Was this translation helpful? Give feedback.
-
|
Yeah, the WSL2 VM is a funny version of a Hyper-V VM. It uses (I believe) a different API to run things too, so that it's available for Windows Home. |
Beta Was this translation helpful? Give feedback.
-
The attack surface of WSL is hard to defend from threats. My compliance team is primarily stuck on the tight integration with the Windows kernel and the lack of group policy controls. At least one other desktop container offering has a mode that uses hyper-v to run a type 1 isolated VM to sandbox the backend OS+daemons used to execute Linux containers. I appreciate any time spend on entertaining these questions!
Is this approach on a roadmap?
Am I missing any details I could use to defend the challenge from my compliance team?
Would the rancher-desktop project take contributions that add a hypervisor-based isolated mode? (Thinking porting the WSL distro to have another deliverable format, installer updates, and plumbing for CLI socket + daemon connectivity)
(FYI @tperale )
Beta Was this translation helpful? Give feedback.
All reactions