A runtime, not a platform.

ZViz is a single static Zig binary that runs OCI bundles with a security policy you can read in an afternoon. It is a Skelf-Research project, Apache 2.0 licensed.

What it is

• – An OCI-compatible container runtime written in Zig.
• – A selective-denial policy model: 132 syscalls reach the host kernel directly, 24 are blocked at seccomp, one (socket) is argument-filtered inline.
• – A layered enforcement stack: namespaces, capability drop (all 41), Landlock LSM, seccomp-BPF, cgroups v2.
• – A userspace broker for syscalls that need argument inspection without full emulation.

What it is not

• – Not a userspace kernel. ZViz does not emulate syscalls the way gVisor's Sentry does. Allowed syscalls hit the host kernel at native speed.
• – Not a MicroVM. There is no KVM guest, no virtio devices, no boot path. ZViz runs on bare Linux kernel primitives.
• – Not a daemon. There is no long-running supervisor process. zviz run exec-replaces into PID 1.
• – Not a drop-in for every workload. If you need ptrace, mount, or unshare inside the container, you want gVisor.

Who it's for

• – AI agent runtimes executing LLM-generated code.
• – Code-execution platforms running notebooks, REPLs, untrusted snippets.
• – CI sandboxers that want a smaller kernel attack surface than plain runc.
• – Multi-tenant platforms where one tenant's workload runs next to another's.

Threat model in one paragraph

The adversary is the code inside the container. They may have arbitrary userspace capabilities within their namespace, may attempt to call any syscall, may try to load kernel modules, escalate capabilities, escape namespaces, or pivot via writeable filesystem paths. ZViz assumes the host kernel is trusted; if a CVE exists in an allowed syscall path, that risk is shared with the host. The selective-denial design is an explicit bet that you can shrink the reachable surface enough to make this trade-off favorable for most workloads — and gain native syscall throughput as a side effect.

Requirements

• – Linux kernel ≥ 5.13 (Landlock LSM).
• – cgroups v2 enabled.
• – Zig 0.15.0+ to build from source.
• – On Ubuntu 24.04+: the bundled AppArmor profile, or accept chdir-only filesystem isolation.

Project & license

ZViz is a Skelf-Research project. Source on GitHub. Apache 2.0. Documentation at docs.skelfresearch.com/zviz.