Tweaks to architecture guide (#4)

content/docs/architecture_guide/overview.md

@@ -2,7 +2,7 @@
 title = "Overview & Platforms"
 weight = 10
 +++
-gVisor sandbox consists of multiple processes when running. These sandboxes
+A gVisor sandbox consists of multiple processes when running. These processes
 collectively comprise a shared environment in which one or more containers can
 be run.
 
@@ -28,7 +28,7 @@ the [OCI runtime spec][runtime-spec] for more information on filesystem bundles.
 `runsc` implements multiple commands that perform various functions such as
 starting, stopping, listing, and querying the status of containers.
 
-## The Sentry
+## Sentry
 
 The Sentry is the largest component of gVisor. It can be thought of as a
 userspace OS kernel. The Sentry implements all the kernel functionality needed
@@ -37,33 +37,33 @@ signal delivery, memory management and page faulting logic, the threading
 model, and more.
 
 When the untrusted application makes a system call, the currently used platform
-redirects to the Sentry, which will do the necessary work to service the system
-call. It is important to note that the Sentry will not simply pass through
-system calls to the host kernel. As a userspace application, the Sentry will
-make some host system calls to support its operation, but it will not allow the
+redirects the call to the Sentry, which will do the necessary work to service
+it. It is important to note that the Sentry will not simply pass through system
+calls to the host kernel. As a userspace application, the Sentry will make some
+host system calls to support its operation, but it will not allow the
 application to directly control the system calls it makes.
 
 The Sentry aims to present an equivalent environment to (upstream) Linux v4.4.
 
-I/O operations that extend beyond the sandbox (not internal /proc files, pipes,
-etc) are sent to the Gofer, described below.
+File system operations that extend beyond the sandbox (not internal /proc
+files, pipes, etc) are sent to the Gofer, described below.
 
 ## Platforms
 
-gVisor requires a platform to implement interruption of syscalls, basic context
+gVisor requires a platform to implement interception of syscalls, basic context
 switching, and memory mapping functionality.
 
 ### ptrace
 
-The ptrace platform uses `PTRACE_SYSEMU` to execute user code without executing
-host system calls. This platform can run anywhere that ptrace works (even VMs
-without nested virtualization).
+The ptrace platform uses `PTRACE_SYSEMU` to execute user code without allowing
+it to execute host system calls. This platform can run anywhere that ptrace
+works (even VMs without nested virtualization).
 
 ### KVM (experimental)
 
 The KVM platform allows the Sentry to act as both guest OS and VMM, switching
 back and forth between the two worlds seamlessly. The KVM platform can run on
-bare-metal or on a VM with nested virtualization enabled. While there is no
+bare-metal or in a VM with nested virtualization enabled. While there is no
 virtualized hardware layer -- the sandbox retains a process model -- gVisor
 leverages virtualization extensions available on modern processors in order to
 improve isolation and performance of address space switches.
@@ -73,12 +73,12 @@ improve isolation and performance of address space switches.
 The Gofer is a normal host Linux process. The Gofer is started with each sandbox
 and connected to the Sentry. The Sentry process is started in a restricted
 seccomp container without access to file system resources. The Gofer provides
-access to file system resources to the Sentry via the 9P protocol and provides
-an additional level of isolation.
+the Sentry access to file system resources via the 9P protocol and provides an
+additional level of isolation.
 
 ## Application
 
-The application (aka, the untrusted application) is a normal Linux binary
+The application (aka the untrusted application) is a normal Linux binary
 provided to gVisor in an OCI runtime bundle. gVisor aims to provide an
 environment equivalent to Linux v4.4, so applications should be able to run
 unmodified. However, gVisor does not presently implement every system call,