Linux Security and Isolation APIs course outline
- Course Introduction
- Security and Isolation APIs Overview (*)
- Classical privileged Programs
- A simple set-user-ID program
- Saved set-user-ID and saved set-group-ID
- Changing process credentials
- A few guidelines for writing privileged programs
- Capabilities
- Process and file capabilities
- Permitted and effective capabilities
- Setting and viewing file capabilities
- Capabilities-dumb and capabilities-aware applications
- Text-form capabilities
- Capabilities and execve()
- Capabilities and execve()
- The capability bounding set
- Inheritable capabilities
- Summary of process capability sets (so far)
- Ambient capabilities
- An alternative summary of process capability sets
- Summary remarks
- Capabilities and UID 0
- Capabilities and UID transitions
- Capabilities, UID 0, and execve()
- Making a capabilities-only environment: securebits (*)
- Programming with capabilities (*)
- Programming with capabilities
- Namespaces
- An example: UTS namespaces
- Namespaces commands
- Namespaces demonstration (UTS namespaces)
- Namespace types and APIS
- Namespaces, containers, and virtualization
- Mount Namespaces and Shared Subtrees
- Mount namespaces
- Shared subtrees
- Bind mounts
- PID Namespaces
- Other Namespaces
- IPC namespaces
- Time namespaces
- Cgroup namespaces
- Network namespaces
- Namespaces APIs
- API Overview
- Creating a child process in new namespaces: clone()
/proc/PID/ns
- Entering a namespace: setns()
- Creating a namespace: unshare()
- PID namespaces idiosyncrasies
- Namespace lifetime (*)
- User Namespaces
- Overview of user namespaces
- Creating and joining a user namespace
- User namespaces: UID and GID mappings
- Accessing files (and other objects with UIDs/GIDs)
- User namespaces, execve(), and user ID 0
- Security issues
- Use cases
- Combining user namespaces with other namespaces
- User Namespaces and Capabilities
- User namespaces and capabilities
- What does it mean to be superuser in a namespace?
- Discovering namespace relationships
- File-related capabilities (*)
- User Namespaces and Privileged Programs (*)
- User namespace "set-UID-root" programs
- Namespaced file capabilities
- Mount Namespaces: Further Details (*)
- Peer groups
- Private mounts
- Slave mounts
- Unbindable mounts
- Mounting a container filesystem
- Seccomp
- Introduction and history
- Seccomp filtering and BPF
- The BPF virtual machine and BPF instructions
- BPF filter return values
- BPF programs
- Checking the architecture
- Productivity aids (libseccomp and other tools)
- Applications and further information
- Other filter return actions (*)
- Seccomp: Further Details (*)
- Caveats
- Discovering the system calls made by a program
- Further details on seccomp filters
- Extended BPF (eBPF)
- Further details on BPF programs
- Recent seccomp features
- Audit logging of filter actions
- Cgroups: Introduction
- Preamble
- What are control groups?
- An example: the
pids
controller
- Creating and destroying cgroups
- Populating a cgroup
- Enabling and disabling controllers
- Cgroups: A Survey of the Controllers
- The
cpu
, memory
, freezer
, and pids
controllers
- Other controllers
- Cgroups: Advanced Features
- Cgroup namespaces
- Release notification (
cgroup.events
file)
- Delegation
- Cgroups: Thread Mode (*)
- Overview of thread mode
- Creating and using a threaded subtree
- Cgroups Version 1 (*)
- Cgroups v1: hierarchies and controllers
- Cgroups v1: populating a cgroup
- Cgroups v1: release notification
- Cgroups v1: delegation
- Problems with cgroups v1; rationale for v2
(*) Topics marked with an asterisk may be
covered, if time permits.
Return to the course overview