In this blog post, the author discusses the implementation of Directfs as the default feature in runsc, the application kernel of gVisor. Directfs allows the secure direct access of the container filesystem by the Sentry, avoiding the need for round trips to the filesystem gofer. The gofer was originally added to provide secure remote filesystem access to the sandbox, but it added unnecessary overhead for local filesystems. Directfs mode uses Linux’s filesystem isolation mechanisms to provide a secure view of the container filesystem to the sandbox. This new feature significantly improves performance for certain workloads.
https://gvisor.dev/blog/2023/06/27/directfs/