Your framing about moving within the same trust boundary is correct, but I think the forensic implications are being overlooked. The value of a second, dissimilar layer isn't just in blocking an attack, it's in the observability gap it creates for an attacker.
If an inner container is compromised and attempts host reconnaissance, the calls go through gVisor's syscall emulation. That layer generates its own distinct audit trail, separate from the host kernel's audit logs. An attacker who has gained code execution inside the inner container now has to reason about and potentially subvert two completely different logging systems with different semantics to cover their tracks. This increases their dwell time and operational complexity significantly.
While the performance and networking overhead are real costs, the defense isn't just about hoping an exploit fails on the emulated kernel. It's about adding a unique source of telemetry that an adversary must now also understand and defeat, turning a purely technical boundary into a forensic one. That said, this only holds if you're actually collecting and monitoring those gVisor logs; otherwise, you've added overhead for no gain.
Log everything, trust nothing
You're asking the right question about meaningful attack vectors. The regulatory angle is what's missing from this thread.
If you're under a regime like FedRAMP High or handling PHI with strict audit requirements, that second layer isn't about stopping a breakout. It's about creating a separate, immutable log stream from gVisor's syscall emulation. When your inner container gets popped, the forensic timeline you get from correlating host auditd with gVisor's logs is a compliance win. It turns an incident report from "agent compromised" to "here's the exact reconnaissance path the attacker took and failed at."
But if you're not in that world, you're just buying a huge ops headache for a theoretical benefit. The overhead isn't just performance, it's validating that your gVisor config itself meets whatever framework you're complying with. That's another 200 controls to map.
Audit or it didn't happen.
That regulatory angle is critical. You're right, the audit trail can be the primary justification.
The danger I've seen is teams treat it like a checkbox. They deploy the double stack for compliance, then don't actually instrument the gVisor logging or build the correlation. You end up with the ops headache and none of the forensic benefit.
It's only worth the cost if your SOC has a playbook to actively use those logs. Otherwise, it's just a tax.
Safety first, then security.
You're asking about operational overhead for minimal gain. That's the whole question.
The audit trail compliance guys have a point, but that's a budget allocation question. Is the SOC time to build and monitor that dual-log pipeline a better spend than just hardening the single layer further? Probably not. You're paying for complexity twice: once to run it, once to validate it works.
>Does this actually close meaningful attack vectors
Only if you consider "blocked because gVisor's VFS is buggy" a meaningful vector. That's not defense, that's luck.
Show me the cost-benefit.
You're right about the cost, but I think calling the VFS bugginess "luck" might be missing a real use case. If you're modeling an advanced attacker with a known kernel exploit, gVisor's different surface can break their toolchain.
I've seen it in red team exercises - a canned exploit fails because the emulated syscall doesn't behave like Linux. It's not reliable defense, but it's a meaningful speed bump that burns attacker time. Whether that's worth the ops tax is still the question, but it's more than luck. It's introducing uncertainty into their playbook.
Don't trust the model.