containers with difgerent security modules
play

Containers with difgerent Security Modules FOSDEM19 Presentation - PowerPoint PPT Presentation

Mar 24, 2023 •386 likes •609 views

Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen john.johansen@canonical.com www.canonical.com February 2019 1 LSM Infrastructure Responsibilities LSM Provides Infrastructure Which LSMs are enabled

  1. Containers with difgerent Security Modules FOSDEM19 Presentation by John Johansen john.johansen@canonical.com www.canonical.com February 2019 1

  2. LSM Infrastructure Responsibilities ● LSM Provides Infrastructure ● Which LSMs are enabled ● Hooks ● Security fjelds on various objects ● Controls which LSM are enabled ● Security Module Manages ● Policy interfaces ● Policy enforcement ● Namespacing 2

  3. References ● LSM Stacking ● linux-security-module@vger.kernel.org ● https://github.com/cschaufmer/lsm-stacking ● AppArmor ● https://gitlab.com/apparmor/apparmor/wikis/home ● https://gitlab.com/apparmor/apparmor/ ● Selinux ● https://selinuxproject.org/page/User_Help ● https://github.com/stephensmalley/selinux-kernel.git ● http://namei.org/presentations/selinux_namespacing_lca2018.pdf ● https://youtu.be/bgarfEnL2hs 3

  4. Special thanks Casey Schaufler – LSM Stacking AppArmor team IMA team Smack team Selinux team LXD team 4

  5. Questions please Thank you https://github.com/cschaufmer/lsm-stacking https://github.com/jrjohansen/lsm-stacking John Johansen john.johansen@canonical.com www.canonical.com 5

  6. Reference for Questions Stacking & LSM Namespacing Redux Linux Plumbers Container MC 2018

  7. Linux Security Modules (LSM) ● Provide security ● Often MAC but not necessarily ● Kernel provides security – Hooks Located at security decision points ● All security relevant info available ● Race free ● – Security field in various objects ● selinux, smack, apparmor, tomoyo, IMA/EVM, loadpin, yama ● proposed: LSMs: LandLock, CaitSith, Checmate, HardChroot, PTAGS, SimpleFlow, SafeName, WhiteEgret, shebang, S.A.R.A.

  8. Use Cases ● LSM enabled in container but not on Host – ChromeOS running Android SELinux container – Virtual smart phone env (Cells/Cellrox), multiple android instances – Thin linux host (clear linux) ● system container – lxd. run Ubuntu (apparmor) container on rhel (selinux) host ● application confinement – snap using apparmor running on fedora (selinux base system) – Docker – flatpak

  9. Problem The LSM is not Namespaced

  10. LSM Namespacing ● Just Create an LSM Namespace! ● Presented & Discussed idea at Linux Plumbers 2017 – Not enough semantic info at LSM layer – Some LSMs don’t want to be “namespaced” Want to bound container ● No generic Solution ● – Real work needs to be done in security modules

  11. Namespacing the LSMs

  12. Requirements ● Not every LSM has the same requirements ● System level confinement (confine the container) – eg selinux using MCS label per container – do NOT want either OR mediation ie. selinux mediating tasks outside ● container using different LSM not confined by selinux ● ● Application level confinement – Not every LSM supports ● Dependent Components Need support (audit, ...)

  13. Audit ● Want ContainerID – But … ● Dependency of LSMs (apparmor, selinux, smack, ima) ● Not Namespaced ● Single Set of Rules ● Single daemon registration

  14. Audit LSS16: Conclusion ● Auditd ok with MNT, UTS, IPC, CGRP ns ● NET ns ok for now – Will need audit_pid/portid per USER ns ● PID ns ok for now for audit user messages – Will need translation per PID ns ● Auditd per USER ns wanted for containers ● NamespaceID vs. Audit ContainerID ● Need audit log aggregation by container orch

  15. AuditID ● U64 ● containers can't be universally identified by namespace (sub)set ● audit daemon won't be tied to any namespace ● netNS needs list of possible IDs responsible for net events ● child inherits parent's ID ● allow multiple audit daemons – each will have its own queue and ruleset – auxiliaries can't influence host

  16. SELinux NS ● Adds per-namespace selinuxfs instances – unshare mount ns and mount new selinuxfs ● Move AVC into namespace ● Add per-namespace support for kernel objects ● Write to selinuxfs unshare node to instantiate ● On Disk Inodes store all each NS label ● NS – Track nesting – Bounded enforcement

  17. SELinux prototype echo 1 > /sys/fs/selinux/unshare unshare -m -n umount /sys/fs/selinux mount -t selinuxfs none /sys/fs/selinux load_policy runcon unconfined_u:unconfined_r:unconfined_t:s0:c0.c1023 /bin/bash setenforce 1

  18. AppArmor ● Namespaced ● Stacked System ● Virtualized fs nscd dnsmasq Task :ns2: :ns1: :ns3: nscd dnsmasq :ns4: :ns5:

  19. AppArmor Problems ● Namespacing – mount, network, user, .. pita Need more infrastructure ● ● Securityfs – can’t mount multiple instances need to bind mount ● Still only AppArmor in AppArmor containers

  20. IMA ● Really wants ContainerID ● Prototype – IMA Audit – Virtualized IMA fs interface ● EVM – Problems with ns xattr storage

  21. Other LSMs ● Smack – Prototype namespace from a few years ago ● Yama ● Loadpin ● Landlock ● Sara

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega

Everything you need to know about Containers Security Track Containers Jos Manuel Ortega @jmortegac Agenda Introduction to containers security Linux Containers(LXC) Docker Security Security pipeline && Container

807 views • 57 slides
Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

823 views • 25 slides
Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs

Exploding the Linux Container Host Presenter: Ben Corrie (@bensdoings) Containers vs VMs Google Wisdom: VMs and Containers are similar but different Try running containers in VMs for security Containers are best for scale-out

314 views • 17 slides
Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs

Containers: Exploits, Surprises, And Security with Elissa Shevinsky COO at SoHo Token Labs Editor of Lean Out #RVASec @ElissaBeth on twitter @Elissa_is_offmessage on Instagram this was Silicon Valley in 2011 Containers are eating

954 views • 66 slides
Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False?

Agenda Container Security Concerns Addressing Container Security Security @ SUSE True or False? Containers are inherently insecure. Some Learnings from an Enterprise Study 94%: Containers have security implications 31%: Worried

490 views • 24 slides
Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12

Containers can actually improve your security story(!) Maya Kaczorowski, Google Cloud June 12 2019 Maya Kaczorowski Security PM, Google Cloud @MayaKaczorowski Objection: My security team is opposed to containers and Kubernetes 3

649 views • 41 slides
UTA Service Choices Difgerent Goals Result in Difgerent Service What is the job of public

UTA Service Choices Difgerent Goals Result in Difgerent Service What is the job of public

UTA Service Choices Difgerent Goals Result in Difgerent Service What is the job of public transit in our region? We have 18 buses to deploy in this fjctional town. Dots represent residents or jobs. Should transit be

313 views • 3 slides
Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Advanced Systems Security: Linux Security Modules Trent Jaeger Systems and Internet

Systems and Internet Infrastructure Security Network and Security Research Center Department of Computer Science and Engineering Pennsylvania State University, University Park PA Advanced Systems Security: Linux Security Modules Trent

872 views • 30 slides
Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer

Hardware Security Smartcards and other TamperResistant Modules Markus G. Kuhn Computer Laboratory http://www.cl.cam.ac.uk/~mgk25/ Applications of Tamper Resistant Modules Security of cryptographic applications is based on secure

564 views • 23 slides
COMPANY PRESENTATION TRANS CONSTRUCTION AS AN EPC CONTRACTOR SUPPLYING CONTAINERS, MODULES AND

COMPANY PRESENTATION TRANS CONSTRUCTION AS AN EPC CONTRACTOR SUPPLYING CONTAINERS, MODULES AND

COMPANY PRESENTATION TRANS CONSTRUCTION AS AN EPC CONTRACTOR SUPPLYING CONTAINERS, MODULES AND OTHER WELDED CONSTRUCTIONS FOR THE OFFSHORE AND ONSHORE INDUSTRY FOR THE OFFSHORE AND ONSHORE INDUSTRY 1 Trans Construction AS, Vognvegen 2 A/B, rn

526 views • 21 slides
Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com

Improving Trust in Containers Matthew Garrett @mjg59 | mjg59@coreos.com | coreos.com Containers are great Containers are resource efficient Containers make deployment easy Containers can be monitored easily Containers are secure But are

508 views • 38 slides
Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014

Hardware Security Modules (HSMs) Benefits and Challenges ICANN 50, London, UK 25 June 2014 richard.lamb@icann.org Hardware Security Modules Cool but what are you protecting? This works fine in many cases ..but this may be the real problem No

255 views • 12 slides
Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson

Surviving the Zombie Apocalypse Security in the Cloud Containers, KVM and Xen Ian Jackson <ian.jackson@eu.citrix.com> FOSDEM 2015 originally based on a talk and research by George Dunlap "Some people make the mistake of thinking

328 views • 6 slides
1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami

12.03.2019 Docker security 1 Agenda Docker world Containers VS Virtual machine Security concerns Conclusion Whoami M.Sc Computer Security M.Sc Software Development Worked previously as an embedded software developer Actually

586 views • 54 slides
Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules

Security Operation Center Concepts and Implementation renaud.bidou@intexxia.com > SOC Modules > Global Architecture > Collection & Storage > Correlation > SOC Modules R Box R Box reaction and reporting + A Box K Box A Box

673 views • 13 slides
Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni

Containers, Docker, and Security: State of the Union 1 / 38 Who am I? Jrme Petazzoni (@jpetazzo) French software engineer living in California Joined Docker (dotCloud) more than 4 years ago (I was at Docker before it was cool! ) I built

420 views • 38 slides
Neutrino-Oxygen Neutral-Current Elastic Interaction as a Background in Supernova Relic Neutrino

Neutrino-Oxygen Neutral-Current Elastic Interaction as a Background in Supernova Relic Neutrino

16th International Conference on Topics in Astroparticle and Underground Physics September 913, 2019 / Toyama, Japan Neutrino-Oxygen Neutral-Current Elastic Interaction as a Background in Supernova Relic Neutrino Search Yosuke ASHIDA (Kyoto

441 views • 42 slides
HK Cavern Construction Masato Shiozawa (UTokyo) T2HKK Workshop November 21, 2016 1

HK Cavern Construction Masato Shiozawa (UTokyo) T2HKK Workshop November 21, 2016 1

HK Cavern Construction Masato Shiozawa (UTokyo) T2HKK Workshop November 21, 2016 1 Overview of Hyper-K cavern design and excavation is given in my talk Thanks to J.Yamatomi, S. Nakayama, and Hide Tanaka for many slides More

398 views • 19 slides
Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working

Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working

Indirect WIMP detection with neutrinos in Hyper-K Yusuke Koshio for Hyper-K astrophysics working group Kamioka observatory, ICRR, Univ. of Tokyo Cosmic Frontier Workshop SLAC - March 7, 2013 Neutrinos generated by WIMP annihilation Trap

542 views • 20 slides
Widely Used But Out-Of-Tree Kees Cook (that's pronounced Case) kees.cook@canonical.com

Widely Used But Out-Of-Tree Kees Cook (that's pronounced Case) kees.cook@canonical.com

Widely Used But Out-Of-Tree Kees Cook (that's pronounced Case) kees.cook@canonical.com Linux Security Summit Boston, Aug 2010 http://people.canonical.com/~kees/slides/out-of-tree.pdf Internal use only 1 Agenda Past

919 views • 12 slides
li! mohe lge vndvana niko, lge vndvana niko sakhi re mohe lge vndvana niko O

li! mohe lge vndvana niko, lge vndvana niko sakhi re mohe lge vndvana niko O

li! mohe lge vndvana niko, lge vndvana niko sakhi re mohe lge vndvana niko O friend! How Vrndavana enthralls me! 1) ghara ghara tulasi, thkura seva, darana govindaji ko In every home there is seva of tulasi and darana

992 views • 61 slides
Example exploration Volcanic eruptions R.W. Oldford Global Volcanism Problem Volcanoes are a

Example exploration Volcanic eruptions R.W. Oldford Global Volcanism Problem Volcanoes are a

Example exploration Volcanic eruptions R.W. Oldford Global Volcanism Problem Volcanoes are a natural phenomenon caused by ruptures in the crust of planets like Earth, which have a molten core. When they erupt, they spew molten material (lava),

921 views • 72 slides
INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from

INFO 4300 / CS4300 Information Retrieval slides adapted from Hinrich Sch utzes, linked from http://informationretrieval.org/ IR 19/25: Web Search Basics and Classification Paul Ginsparg Cornell University, Ithaca, NY 9 Nov 2010 1 / 67

1.14k views • 67 slides
in Japanese - Class #5 Level 3 Student, teacher, senpai Phrases Okurigana Japanese

in Japanese - Class #5 Level 3 Student, teacher, senpai Phrases Okurigana Japanese

Getting Started in Japanese - Class #5 Level 3 Student, teacher, senpai Phrases Okurigana Japanese names TBD Intro to Kanji Ta / Te verbs Months and years Kanji Advantages / based on your Disadvantages Adjective

366 views • 23 slides

More recommend