Unprivileged Containers Jess Frazelle, @jessfraz How do containers - - PowerPoint PPT Presentation

unprivileged containers
SMART_READER_LITE
LIVE PREVIEW

Unprivileged Containers Jess Frazelle, @jessfraz How do containers - - PowerPoint PPT Presentation

Mar 31, 2024 554 likes •824 views

Unprivileged Containers Jess Frazelle, @jessfraz How do containers help security? Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. How do

slide-1
SLIDE 1

Unprivileged Containers

Jess Frazelle, @jessfraz

slide-2
SLIDE 2

How do containers help security?

Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise.

slide-3
SLIDE 3

How do containers help security?

The world an attacker might see from inside a very strict container with custom AppArmor/Seccomp profiles greatly differs than that without the use of containers.

slide-4
SLIDE 4

Sandboxes Today

slide-5
SLIDE 5

Chrome

  • Seccomp
  • Namespaces
  • Apparmor
  • NOT RUN AS ROOT
slide-6
SLIDE 6

Containers today

  • Namespaces
  • Apparmor
  • Selinux
  • Capabilities Limiting
  • Cgroups
  • Run as root :(
slide-7
SLIDE 7

How can we get to sandboxes with containers?

slide-8
SLIDE 8

Back to the Basics

A “container” is what we have come to call a group of namespaces and control groups applied to a process.

slide-9
SLIDE 9

Control Groups (cgroups)

Limit what the process can use. Resource metering and limiting. Types: memory, CPU, blkio, network, device, pid..

slide-10
SLIDE 10

PID Cgroup

slide-11
SLIDE 11

Namespaces

Limit what the process sees. Types: pid, net, mnt, uts, ipc, user Created with clone() or unshare()

slide-12
SLIDE 12

Net Namespace

slide-13
SLIDE 13

UTS Namespace

slide-14
SLIDE 14

IPC Namespace

slide-15
SLIDE 15

PID Namespace

slide-16
SLIDE 16

User Namespace

slide-17
SLIDE 17

Makings of a Sandbox: Containers

  • Namespaces
  • Apparmor
  • Selinux
  • Capabilities Limiting
  • Cgroups

NOT RUN AS ROOT

slide-18
SLIDE 18

POC or GTFO

slide-19
SLIDE 19

POC or GTFO

slide-20
SLIDE 20

What is this sorcery?

  • User namespaces can be created without

root.

  • But only if the {uid,gid}_map is mapped to

the current user creating the namespace.

slide-21
SLIDE 21

Not Perfect …. yet

  • Cgroups devices cannot be created

without CAP_SYS_ADMIN

slide-22
SLIDE 22

New Hotness: Cgroup Namespace

  • In Kernels 4.6+, not

yet released, on RC5 currently

  • False prophet to

solve all the problems, but maybe in the future.

slide-23
SLIDE 23

Cgroup Namespace

slide-24
SLIDE 24

What to look forward to...

  • Containers in a multi-tenant environment not run as

root.

  • Sane defaults with the ability to customize for a

sandbox experience.

  • Better designed user experiences for dealing with

security policies.

slide-25
SLIDE 25

Resources

https://github.com/docker/docker/issues/17142 http://www.sysdig.org/falco/