Comment by 112233

How would you do it? I'm quite interested! How can you hide container processes in host procfs using bwrap? And make sure no mounts stay mounted in the host? The most "nothing leaks in" runtime I've seen is gVisor (before going VM). Attaining that with bwrap would be nice, but I'm sceptical.