Explore the challenges and solutions for using different Linux Security Modules (LSMs) in containers than those used by the host system in this 32-minute conference talk. Delve into the complexities of enabling AppArmor LSM within containers on hosts running SELinux or Smack. Learn about the pitfalls encountered and strategies developed while implementing this capability for snappy applications and LXD system containers. Examine topics such as LSM namespacing, multiple LSMs, kernel virtualization, and dynamic LSM stacking. Gain insights into container security, user namespaces, and the current limitations of running inverse configurations.
Using a Different LSM from the Host in a Container
Overview
Syllabus
Intro
Containers
LSM
Namespacing
Multiple LSMs
Interfaces
Display LSM
Multiple LSM
Why
A Primer
Simple Container
Premier Policy
Security FS
Kernel Virtualization
More Issues
Container Security FS
No New Proves
Stacking Internal bounding
Nesting of containers
User namespaces
What we can do
LXDE
LXDE Demo
Dynamic LSM stacking
No new probes
Taught by
Linux Foundation
