container security - fedora · root), and unprivileged processes (whose effective uid is nonzero)....
TRANSCRIPT
![Page 1: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/1.jpg)
Container Security
Daniel J WalshConsulting Engineer
Twitter: @rhatdanBlog: danwalsh.livejournal.com
Email: [email protected]
![Page 2: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/2.jpg)
Container Security
![Page 3: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/3.jpg)
Container Security
As explained by the
three pigs
![Page 4: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/4.jpg)
Chapter 1: When should I use containers versus VMs?
Chapter 2: What platform should host my containers?
Chapter 3: How do I ensure container separation?
Chapter 4: How do I secure content inside container?
![Page 5: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/5.jpg)
GLOSSARY PIG==Application Service
![Page 6: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/6.jpg)
Chapter 1Where should the pigs live?
When should I use containers versus virtual machines?
![Page 7: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/7.jpg)
Standalone Homes(Separate Physical Machines)
![Page 8: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/8.jpg)
Duplex Home(Virtual Machines)
1 9 3 8 2 0 1 3
![Page 9: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/9.jpg)
Apartment Building(Containers)
40
30
41
31
42
32
43
33
![Page 10: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/10.jpg)
Hostel(Services Same Machine)
![Page 11: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/11.jpg)
Park(setenforce 0)
![Page 12: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/12.jpg)
http://stopdisablingselinux.com/
![Page 13: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/13.jpg)
Pigs in Apartment Buildings
Best combination of resource sharing ease of maintainance & security
![Page 14: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/14.jpg)
Chapter 2 What kind of apartment building?
What platform should host your containers?
![Page 15: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/15.jpg)
Straw?
![Page 16: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/16.jpg)
Straw?
Running containers on do it yourself platform.
![Page 17: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/17.jpg)
Sticks?
![Page 18: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/18.jpg)
Sticks?
Running containers on community platform.
![Page 19: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/19.jpg)
Brick?
![Page 20: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/20.jpg)
Brick?
Running containers on Red Hat Enterprise Linux
![Page 21: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/21.jpg)
RHEL Maintenance
![Page 22: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/22.jpg)
RHEL Maintenance
Security Response Team.
![Page 23: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/23.jpg)
Chapter 3How do I separate/secure
pig apartments?
![Page 24: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/24.jpg)
Chapter 3How do I separate/secure
pig apartments?
How do you ensure container separation?
![Page 25: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/25.jpg)
CONTAINERS DO NOT CONTAIN
http://www.maritimenz.govt.nz/images/Incident-area/Rena7.jpg
![Page 26: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/26.jpg)
Do you care?
![Page 27: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/27.jpg)
Should you care?
![Page 28: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/28.jpg)
● Drop privileges as quickly as possible
Treat Container Services just likeregular services
![Page 29: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/29.jpg)
● Drop privileges as quickly as possible● Run your services as non Root whenever
possible
Treat Container Services just likeregular services
![Page 30: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/30.jpg)
● Drop privileges as quickly as possible● Run your services as non Root whenever
possible● Treat root within a container the same as root
outside of the container
Treat Container Services just likeregular services
![Page 31: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/31.jpg)
● Drop privileges as quickly as possible● Run your services as non Root whenever
possible● Treat root within a container the same as root
outside of the container
Treat Container Services just likeregular services
"Docker is about running random crap from the internet as root on your host"
![Page 32: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/32.jpg)
Only run container images from trusted parties
See Chapter 4
"Docker is about running random crap from the internet as root on your host"
![Page 33: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/33.jpg)
Why don't containers contain?
![Page 34: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/34.jpg)
Why don't containers contain?
● Everything in Linux is not namespaced
![Page 35: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/35.jpg)
Why don't containers contain?
● Everything in Linux is not namespaced● Containers are not comprehensive like virtual
machines (kvm)
![Page 36: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/36.jpg)
Why don't containers contain?
● Everything in Linux is not namespaced● Containers are not comprehensive like virtual
machines (kvm)● Kernel file systems: /sys, /sys/fs, /proc/sys● Cgroups, SELinux, /dev/mem, kernel modules
![Page 37: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/37.jpg)
Chapter 3Overview of Security within
Docker containers
![Page 38: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/38.jpg)
Read Only Mount Points
● /sys, /proc/sys, /proc/sysrq-trigger,/proc/irq, /proc/bus
![Page 39: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/39.jpg)
Capabilities
man capabilities
DESCRIPTION
For the purpose of performing permission checks, traditional UNIX
implementations distinguish two categories of processes: privileged
processes (whose effective user ID is 0, referred to as superuser or
root), and unprivileged processes (whose effective UID is nonzero).
Privileged processes bypass all kernel permission checks, while
unprivileged processes are subject to full permission checking based on
the process's credentials (usually: effective UID, effective GID, and
supplementary group list).
Starting with kernel 2.2, Linux divides the privileges traditionally
associated with superuser into distinct units, known as capabilities,
which can be independently enabled and disabled. Capabilities are a
per-thread attribute.
![Page 40: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/40.jpg)
Capabilities Removed
CAP_SETPCAP Modify process capabilities
CAP_SYS_MODULE Insert/Remove kernel modules
CAP_SYS_RAWIO Modify Kernel Memory
CAP_SYS_PACCT Configure process accounting
CAP_SYS_NICE Modify Priotity of processes
CAP_SYS_RESOURCE Override Resource Limits
CAP_SYS_TIME Modify the system clock
CAP_SYS_TTY_CONFIG Configure tty devices
CAP_AUDIT_WRITE Write the audit log
CAP_AUDIT_CONTROL Configure Audit Subsystem
CAP_MAC_OVERRIDE Ignore Kernel MAC Policy
CAP_MAC_ADMIN Configure MAC Configuration
CAP_SYSLOGModify Kernel printk behavior
![Page 41: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/41.jpg)
Capabilities Removed
CAP_NET_ADMIN Configure the network
![Page 42: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/42.jpg)
Capabilities Removed
CAP_NET_ADMIN Configure the network
CAP_SYS_ADMIN Catch all
![Page 43: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/43.jpg)
SYS_ADMIN
less /usr/include/linux/capability.h .../* Allow configuration of the secure attention key *//* Allow administration of the random device *//* Allow examination and configuration of disk quotas *//* Allow setting the domainname *//* Allow setting the hostname *//* Allow calling bdflush() *//* Allow mount() and umount(), setting up new smb connection *//* Allow some autofs root ioctls *//* Allow nfsservctl *//* Allow VM86_REQUEST_IRQ *//* Allow to read/write pci config on alpha *//* Allow irix_prctl on mips (setstacksize) *//* Allow flushing all cache on m68k (sys_cacheflush) *//* Allow removing semaphores *//* Used instead of CAP_CHOWN to "chown" IPC message queues, semaphores and shared memory *//* Allow locking/unlocking of shared memory segment *//* Allow turning swap on/off *//* Allow forged pids on socket credentials passing *//* Allow setting readahead and flushing buffers on block devices */
![Page 44: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/44.jpg)
SYS_ADMIN/* Allow setting geometry in floppy driver *//* Allow turning DMA on/off in xd driver *//* Allow administration of md devices (mostly the above, but some extra ioctls) *//* Allow tuning the ide driver *//* Allow access to the nvram device *//* Allow administration of apm_bios, serial and bttv (TV) device *//* Allow manufacturer commands in isdn CAPI support driver *//* Allow reading non-standardized portions of pci configuration space *//* Allow DDI debug ioctl on sbpcd driver *//* Allow setting up serial ports *//* Allow sending raw qic-117 commands *//* Allow enabling/disabling tagged queuing on SCSI controllers and sending arbitrary SCSI commands *//* Allow setting encryption key on loopback filesystem *//* Allow setting zone reclaim policy */
![Page 45: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/45.jpg)
Namespaces
● PID Namespace
![Page 46: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/46.jpg)
Namespaces
● PID Namespace● Network Namespace
![Page 47: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/47.jpg)
Cgroups
Device Cgroup
Device nodes allow processes to configure kernel
![Page 48: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/48.jpg)
Cgroups
Device Cgroup
Device nodes allow processes to configure kernel
Should have been a namespace
![Page 49: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/49.jpg)
Cgroups
Device Cgroup
Device nodes allow processes to configure kernel
Should have been a namespace
Controls device nodes that can be created
![Page 50: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/50.jpg)
Cgroups
Device Cgroup
Device nodes allow processes to configure kernel
Should have been a namespace
Controls device nodes that can be created
/dev/console/dev/zero /dev/null /dev/fuse
/dev/full /dev/tty* /dev/urandom /dev/random
![Page 51: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/51.jpg)
Cgroups
Device Cgroup
Device nodes allow processes to configure kernel
Should have been a namespace
Controls device nodes that can be created
/dev/console/dev/zero /dev/null /dev/fuse
/dev/full /dev/tty* /dev/urandom /dev/random
Images also mounted with nodev
![Page 52: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/52.jpg)
SELinux
Everyone Please standup and repeat after me.
![Page 53: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/53.jpg)
SELinux
Everyone Please standup and repeat after me.
SELinux is a LABELING system
![Page 54: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/54.jpg)
SELinux
Everyone Please standup and repeat after me.
SELinux is a LABELING system
Every Process has a LABEL
![Page 55: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/55.jpg)
SELinux
Everyone Please standup and repeat after me.
SELinux is a LABELING system
Every Process has a LABEL
Every File, Directory, System object has a LABEL
![Page 56: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/56.jpg)
SELinux
Everyone Please standup and repeat after me.
SELinux is a LABELING system
Every Process has a LABEL
Every File, Directory, System object has a LABEL
Policy rules control access between labeled processes and labeled objects
![Page 57: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/57.jpg)
SELinux
Everyone Please standup and repeat after me.
SELinux is a LABELING system
Every Process has a LABEL
Every File, Directory, System object has a LABEL
Policy rules control access between labeled processes and labeled objects
The Kernel enforces the rules
![Page 58: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/58.jpg)
Grab your SELinux
Coloring Book
![Page 59: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/59.jpg)
Type Enforcement
![Page 60: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/60.jpg)
Type Enforcement
![Page 61: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/61.jpg)
Type Enforcement
![Page 62: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/62.jpg)
Type Enforcement
![Page 63: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/63.jpg)
Type Enforcement
![Page 64: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/64.jpg)
Type Enforcement
![Page 65: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/65.jpg)
Type Enforcement
● Protects the host system from container processes
● Container processes can only read/execute /usr files
● Container processes only write to container files.
● Process type svirt_lxc_net_t● file type svirt_sandbox_file_t
![Page 66: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/66.jpg)
MCS Enforcement
Multi Category Security
![Page 67: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/67.jpg)
MCS Enforcement
![Page 68: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/68.jpg)
MCS Enforcement
![Page 69: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/69.jpg)
MCS Enforcement
![Page 70: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/70.jpg)
MCS Enforcement
![Page 71: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/71.jpg)
MCS Enforcement
● Protects containers from each other.● Container processes can only read/write their files.● Docker daemon picks unique random MCS Label.
– s0:c1,c2
● Assigns MCS Label to all content● Launches the container processes with same label
![Page 72: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/72.jpg)
Docker Without SELinux
Is like Tupperware without the burp
![Page 73: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/73.jpg)
Future - seccomp
● Shrink the attack surface on the kernel● Eliminate syscalls● kexec_load, open_by_handle_at, init_module,
finit_module, delete_module, iopl, ioperm, swapon, swapoff, sysfs, sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init, kcmp
● block 32 bit syscalls● block old weird networks
![Page 74: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/74.jpg)
Future – User Name Space
● Map non root user to root within container● Available in docker-1.9 (Limited)● Only used to protect the host from containers,
not used to protect containers from each other.● Can we protect one container from another?● No file system support
![Page 75: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/75.jpg)
Future – Clear Linux Containers
● Use KVM with slimmed down kernel● Intel Introduced● Better isolation
– Better SELinux protection
● Breaks certain use cases● Supports docker containers● Starts container in .2 seconds
![Page 76: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/76.jpg)
Chapter 4 How do you furnish the pigs
apartment?
How do I secure content inside container?
![Page 77: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/77.jpg)
LINUX 1999
![Page 78: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/78.jpg)
LINUX 1999Where did you get your software?
![Page 79: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/79.jpg)
LINUX 1999Where did you get your software?Go to yahoo.com or AltaVista.com
and google it?
![Page 80: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/80.jpg)
LINUX 1999Where did you get your software?Go to yahoo.com or AltaVista.com
and google it?Find it on rpmfind.net, download and install.
![Page 81: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/81.jpg)
LINUX 1999Where did you get your software?Go to yahoo.com or AltaVista.com
and google it?Find it on rpmfind.net, download and install.
Hey I hear there is a big Security vulnerability in Zlib.
![Page 82: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/82.jpg)
LINUX 1999Where did you get your software?Go to yahoo.com or AltaVista.com
and google it?Find it on rpmfind.net, download and install.
Hey I hear there is a big Security vulnerability in Zlib.
How many copies of the Zlib vulnerability to you have?
![Page 83: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/83.jpg)
LINUX 1999Where did you get your software?Go to yahoo.com or AltaVista.com
and google it?Find it on rpmfind.net, download and install.
Hey I hear there is a big Security vulnerability in Zlib.
How many copies of the Zlib vulnerability to you have?
I have no clue!!!
![Page 84: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/84.jpg)
Red Hat to the Rescue
![Page 85: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/85.jpg)
Red Hat to the RescueRed Hat Enterprise Linux solved this problem
![Page 86: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/86.jpg)
Red Hat to the RescueRed Hat Enterprise Linux solved this problem
Certified software and hardware platforms
![Page 87: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/87.jpg)
How do you furnish the pigs apartment?
People have no idea of quality of software in docker images
![Page 88: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/88.jpg)
How do you furnish the pigs apartment?
Or they build it themselves.
![Page 89: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/89.jpg)
Lets Talk about DEV/OPS
![Page 90: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/90.jpg)
Lets Talk about DEV/OPSContainers move the responsibility for security updates from the Operator to the Developer.
![Page 91: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/91.jpg)
Lets Talk about DEV/OPSContainers move the responsibility for security updates from the Operator to the Developer.
Do you trust developers tofix security issues in their images?
![Page 92: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/92.jpg)
![Page 93: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/93.jpg)
What happens when the next Shell Shock hits
![Page 94: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/94.jpg)
![Page 95: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/95.jpg)
How do you furnish the pigs apartment?
RHEL Certified Images
![Page 96: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/96.jpg)
How do you furnish the pigs apartment?
Red Hat Support and Security teams partnering with you to secure your software
![Page 97: Container Security - Fedora · root), and unprivileged processes (whose effective UID is nonzero). Privileged processes bypass all kernel permission checks, while unprivileged processes](https://reader030.vdocuments.net/reader030/viewer/2022041109/5f0d05777e708231d4384984/html5/thumbnails/97.jpg)
Don't let this be you.
Questions?