In the document for gvisor, it is explained that "the sentry stores the effective mapping from virtual address to host file in a host VMA by invoking the mmap system call", so that the containerized application process has the information it needs to translate and access the virtual address it requested.
Here the sentry refers to the hypervisor process that is ptrace-ing the containerized child application process it spawns.
My question is, how exactly does the sentry call mmap() for the application process? If it is calling from its own process, doesn't this modify its own VMA table instead of that of the application process?
Barmar is correct in the comments above.
ptracedoes not provide a direct mechanism to make a system call in the tracee. The core of gVisor's implementation can be found here. We pick a tracee thread, set the registers with RIP at the known location of a SYSCALL + trap instruction and argument registers set as desired, and then allow execution to continue through the syscall and stopping again at the trap.