Explore the current state and advancements in user namespace technology through this comprehensive conference talk by Stephane Graber and Christian Brauner from Canonical. Delve into the security implications of privileged containers and their role in Common Vulnerabilities and Exposures (CVEs). Gain insights on unprivileged containers and the implementation of isolated user namespaces in both userspace and kernelspace. Examine the limitations of user namespaces and their interaction with seccomp in containerized environments. Learn about syscall supervision techniques and filesystem interactions within containers. Discover the process of overriding credentials in the Virtual File System (VFS) and the concept of idmapped bind-mounts. This in-depth presentation offers valuable knowledge for developers, system administrators, and security professionals working with containerization technologies.
State of the User Namespace - Privileged Containers and Security Implications
Overview
Syllabus
Intro
Privileged Containers cause majority of CVES
Unprivileged Containers
Isolated User Namespaces - Userspace
Isolated User Namespaces - Kernelspace
Limitations of User Namespaces
Seccomp & Containers
Syscall Supervision
Filesystem interactions
Overriding creds in the VFS
Idmapped bind-mounts
Taught by
Linux Foundation
