CONTAINING Security

Kernel's Guarantee:

DON'T BREAK USERSPACE

• syscalls (open, read, write, close, exec, fork, mmap, mount, stat, etc.)
• signals
• ioctl's
• prctl's
• fcntl's
• sysfs
• procfs
• and more, I'm sure

Context of errors is in kernelspace, not userspace

EPERM

EACCES

Kernel Namespaces:

• mount
• IPC (message queues, semaphores, shm)
• UTS (hostname)
• network
• PID
• cgroup
• user

unshare() and namespaces

Kernel Namespaces:

Orthogonal in nature

Varying levels of maturity

Drastically increase complexity and attack surface

Kernel Namespaces:

User Namespace

• neat step for isolation
• notable source of root escalations in the kernel
• still no viable vfs solutions (apart from chown'ing)

OpenShift (and others) are opting for just explicitly running as non-root UID

`runc' can now launch non-root containers directly

Access to Docker daemon means root privilege. Period.

LSM (Linux Security Modules)

• Kernel Framework
• There are several. Most compare SELinux vs. Apparmor
• (Comprehensive and Complex) vs. (Simple and Narrow)
• (RBAC and MAC) vs. (just MAC)

Capabilities

• capabilities(7)
• Determine an application's capabilities (and syscalls too)
• SystemTap (stap)
• no_new_privs flag

Syscalls

• wide surface area
• attempt at syscall reference
• seccomp(2)
• Container runtime configuration

grsecurity

• paid subscription to patches
• breaks support for kernel
• RBAC, like SELinux

Lock-Step

Audit

• Linux Audit
• BPF in kernel
  • bpf(2)
  • eBPF Superpowers 
  • eBPF overview
• remove `docker' group. Require `sudo'
• Container Runtime Events
• OpenShift events and tracing
• L7 application insights and policies

Lock-Step

Signing

• simple signing vs. Docker notary
• detached, static vs. isolated service
• your key rotation process vs. its key rotation process
• Determine your requirements and use-cases