# Understanding Security Boundaries Between Containers and the Host System in Apple Container

> Learn about security boundaries between containers and the host system in apple/container. Discover how namespace isolation and macOS sandboxing protect your host resources.

- Repository: [Apple/container](https://github.com/apple/container)
- Tags: deep-dive
- Published: 2026-06-22

---

**Apple Container enforces security boundaries between containers and the host system through namespace isolation, macOS sandbox entitlements, seccomp syscall filtering, overlay filesystems, and network virtualization, ensuring compromised containers cannot access host resources.**

The `apple/container` repository provides a Linux-compatible container runtime for macOS that implements defense-in-depth isolation. Understanding these **security boundaries** is critical for operators deploying untrusted workloads or multi-tenant environments on Apple silicon hardware.

## Namespace Isolation

The foundation of container isolation begins with **namespace isolation**, which separates process IDs, network interfaces, mount points, and user IDs from the host kernel.

In [`Sources/ContainerRuntime/ContainerRuntime.swift`](https://github.com/apple/container/blob/main/Sources/ContainerRuntime/ContainerRuntime.swift), the runtime creates distinct namespaces when invoking the containerd shim. This ensures a container cannot view or interfere with host processes or network configurations. The implementation aligns with the architecture described in the repository's **[Technical Overview](https://github.com/apple/container/blob/main/docs/technical-overview.md)**.

## Sandbox and Entitlements

macOS **sandbox profiles** and signed entitlements provide mandatory access control beyond traditional Unix permissions.

The repository ships hardened entitlement files that the runtime loads during container initialization:

- **`signing/container-runtime-linux.entitlements`**: Restricts filesystem access and privileged operations
- **`signing/container-network-vmnet.entitlements`**: Grants limited network virtualization capabilities

When launching a container, the runtime applies these entitlements through the `ContainerConfiguration` structure:

```swift
import ContainerRuntime

let runtime = ContainerRuntime()
let config = ContainerConfiguration(
    image: "docker.io/library/alpine:latest",
    sandboxEntitlements: URL(fileURLWithPath: "/path/to/container-runtime-linux.entitlements")
)

try runtime.startContainer(with: config)

```

*The `sandboxEntitlements` parameter points to the signed entitlement file that limits the container's capabilities according to the policy defined in [[`SECURITY.md`](https://github.com/apple/container/blob/main/SECURITY.md)](https://github.com/apple/container/blob/main/SECURITY.md).*

## Seccomp and System Call Filtering

To prevent kernel exploitation, Apple Container employs **seccomp** (secure computing mode) to filter system calls. The runtime generates a seccomp profile when invoking the underlying containerd shim, blocking dangerous syscalls that could escalate privileges.

As documented in [`SECURITY.md`](https://github.com/apple/container/blob/main/SECURITY.md), this filtering prevents containers from accessing host-level kernel interfaces while preserving compatibility with standard Linux workloads. The profile is dynamically applied based on the container configuration, ensuring only whitelisted syscalls reach the macOS kernel.

## Filesystem Isolation with OverlayFS

The **overlay filesystem** ensures that container writes never touch the host's root filesystem, creating an immutable base layer with a writable upper layer.

In [`Sources/OverlayFS/OverlayMount.swift`](https://github.com/apple/container/blob/main/Sources/OverlayFS/OverlayMount.swift), the runtime constructs overlay mounts that redirect all modifications:

```swift
import OverlayFS

let overlay = OverlayMount(
    lowerDir: "/usr/local/containers/base",
    upperDir: "/usr/local/containers/overlays/upper",
    workDir:  "/usr/local/containers/overlays/work"
)
try overlay.mount(at: "/var/run/container/rootfs")

```

*All writes from the container are redirected to the `upperDir`, leaving the host's `lowerDir` untouched and preserving filesystem integrity.*

## Network Virtualization

Each container receives its own **virtual network interface** via the `vmnet` framework, attached to a NAT bridge that isolates traffic from the host's physical interfaces.

The network stack in [`Sources/Network/ContainerNetwork.swift`](https://github.com/apple/container/blob/main/Sources/Network/ContainerNetwork.swift) creates these interfaces:

```swift
import Network

let network = ContainerNetwork()
let iface = try network.createVMNetInterface(name: "container0")
try network.attachInterface(to: containerID, interface: iface)

```

*The `vmnet` framework creates a virtual NIC that lives only inside the container's network namespace, preventing ARP spoofing or network-level attacks against the host.*

## Resource Limits and Daemon Mediation

All container lifecycle operations route through a **user-space daemon** that validates requests before interacting with host resources. The daemon's entry point in [`Sources/ContainerDaemon/main.swift`](https://github.com/apple/container/blob/main/Sources/ContainerDaemon/main.swift) enforces **cgroups-like limits** using macOS task-policy APIs.

Resource constraints are defined in [`ContainerConfiguration.swift`](https://github.com/apple/container/blob/main/ContainerConfiguration.swift) and applied via `ResourceLimits`:

```swift
import ResourceLimits

let limits = ResourceLimits(cpuQuota: 0.5, memoryMB: 256)
try runtime.applyLimits(to: containerID, limits: limits)

```

*These limits prevent denial-of-service attacks by restricting CPU, memory, and PID consumption, ensuring a runaway container cannot exhaust host resources.*

## Summary

Apple Container implements a multi-layered security model that defends against container escape and host compromise:

- **Namespace isolation** in [`ContainerRuntime.swift`](https://github.com/apple/container/blob/main/ContainerRuntime.swift) hides host processes and network interfaces from containers
- **Sandbox entitlements** restrict filesystem and capability access through signed profiles
- **Seccomp filtering** blocks dangerous syscalls at the kernel boundary
- **OverlayFS** ensures filesystem writes remain isolated from the host root
- **Network virtualization** via `vmnet` isolates traffic and prevents network-level attacks
- **Resource limits** enforced by the daemon prevent resource exhaustion attacks

## Frequently Asked Questions

### How does Apple Container prevent containers from accessing host files?

Apple Container uses **macOS sandbox profiles** defined in `signing/container-runtime-linux.entitlements` combined with **namespace isolation** to restrict filesystem visibility. The sandbox kernel extension enforces mandatory access controls, while the overlay filesystem in [`Sources/OverlayFS/OverlayMount.swift`](https://github.com/apple/container/blob/main/Sources/OverlayFS/OverlayMount.swift) ensures all writes occur in isolated upper directories, preventing any modification of host system files.

### What prevents a compromised container from taking over the host kernel?

The **seccomp** syscall filter and **entitlement restrictions** provide defense-in-depth. The runtime generates a seccomp profile that blocks privileged syscalls, while the macOS sandbox prevents access to kernel interfaces. Additionally, the `containerd`-compatible daemon in [`Sources/ContainerDaemon/main.swift`](https://github.com/apple/container/blob/main/Sources/ContainerDaemon/main.swift) mediates all requests, validating operations before they reach the host kernel.

### Can containers exhaust host CPU or memory resources?

No. The runtime enforces **cgroups-like limits** through macOS task-policy APIs as implemented in [`Sources/ResourceLimits/ResourceLimits.swift`](https://github.com/apple/container/blob/main/Sources/ResourceLimits/ResourceLimits.swift). Operators can specify CPU quotas and memory caps in `ContainerConfiguration`, and the daemon terminates containers that exceed these limits, protecting the host from denial-of-service conditions.

### Is network traffic between containers isolated from the host?

Yes. Each container receives a **virtual network interface** via the `vmnet` framework, managed in [`Sources/Network/ContainerNetwork.swift`](https://github.com/apple/container/blob/main/Sources/Network/ContainerNetwork.swift). These interfaces exist only within the container's network namespace and connect through a NAT bridge, preventing direct access to the host's physical network interfaces or other containers' traffic without explicit forwarding rules.