The main reason why lockc exists is that containers do not contain. Containers are not as secure and isolated as VMs. By default, they expose a lot of information about host OS and provide ways to “break out” from the container. lockc aims to provide more isolation to containers and make them more secure.
The Containers do not contain documentation section explains what we mean by that phrase and what kind of behavior we want to restrict with lockc.
Please note that currently lockc is an experimental project, not meant for production environment and without any official binaries or packages to use – currently the only way to use it is building from sources.
lockc’s userspace part is licensed under Apache License, version 2.0.