Summary

Enhance the Windows AppContainer feature to provide better isolation and security. This includes implementing a mechanism to hide the adjacent filesystem, introducing a kernel-level filtering system similar to eBPF on Linux for secure and optimized file management, and concealing the AppContainer status from applications to prevent them from detecting their contained environment.

Pitch

Improving the AppContainer feature will significantly enhance the security and isolation of applications running in a contained environment. By hiding the filesystem, applications will be unable to access or even detect files and folders outside their container, thus protecting user data and system integrity. Introducing a kernel-level filtering mechanism, akin to eBPF on Linux, will allow developers to create highly secure and optimized programs that can dynamically enforce permissions policies.

Concealing the AppContainer status will prevent applications from altering their behavior based on their environment, thereby thwarting potential malicious activities. These enhancements will elevate AppContainers to the security level of Linux namespaces, reducing risks associated with running untrusted applications and ensuring comprehensive monitoring and isolation for a safer computing experience.