Thanks so much for the feedbacks. Yes these are valid concerns around libkrun security, We are planning and developing features around them actually, and hopefully that could alleviate the conerns.

for virtio-fs, yes the risk of exposing the host fs struture exists, and we plan to:

1. creating staging directory for each vm and bind-mount the host dir onto them

2. having private mount namespaces for vms

they are both tracked in our github issues:

https://github.com/smol-machines/smolvm/issues/152 https://github.com/smol-machines/smolvm/issues/151

2 may need much more efforts than we imagine, but we will ensure to call this out in our doc.

For the concern around TSI, we are developing virtio-net in-parallel, it is also tracked in our github and will be released soon: https://github.com/smol-machines/smolvm/issues/91

Would like to collect mroe suggestions on how to make this safer. Thanks!

Security is a broad topic.

Here's how my perspective:

smolvm operates on the same shared responsibility model as other virtual machines.

VM provides VM-level isolation.

If the user mounts a directory with the capability of symlinks or a host OS with a path for guest software that is designed to escape - that is the responsibility of the user rather than the VM.

Security is not guaranteed by using a specific piece of software, it's a process that requires different pieces for different situations. smolvm can be a part of that process.