DEV Community

Cover image for Must know — Container Security Constructs: Namespace, SecComp, Control Groups, SELinux
Shweta Vohra
Shweta Vohra

Posted on

Must know — Container Security Constructs: Namespace, SecComp, Control Groups, SELinux

SELinux

SELinux (Security-Enhanced Linux) is a mandatory access control system for processes. Linux kernel uses SELinux to protect processes from each other and to protect the host system from its running processes. Processes run as a confined SELinux type that has limited access to host system resources.

Condition that brings SELINUX into action. Check or configure file /etc/selinux/config for possible SELINUX values:

  • SELINUX=disabled or
  • SELINUX=enforcing or
  • SELINUX=permissive

Seccomp

Seccomp stands for secure computing mode.

The seccomp() system call operates on the Secure Computing
(seccomp) state of the calling process.
*Man page definition

Seccomp limits how processes could use system calls. Seccomp defines a security profile for processes, whitelisting the system calls, parameters and file descriptors they are allowed to use. SecComp defines which system calls should and should not be allowed to be executed by a container. It restricts the calls a process/continer able to make from userspace into the kernel.

Namespaces

The kernel can isolate specific system resources, usually visible to all processes. This is done by placing the resources within a namespace. Inside a namespace, only processes that are members of that namespace can see or utilize those resources. Namespces help apply security restrictions to containers. Below mentioned are major 7 namespaces that help achieve boundaries and restrictions:

  • Cgroup — Cgroup root directory
  • IPC — Inter Process Communication, POSIX message queues
  • Network — Network devices, stacks, ports, etc.
  • Mount — Mount points
  • PID — Process IDs
  • User — User and group IDs
  • UTS — Hostname and NIS domain name

Control groups (cgroups)

Control groups partition sets of processes and their children into groups to manage and limit the resources they consume. Control groups place restrictions on the amount of system resources that processes can use. Those restrictions keep one process/container from using too many resources on the host.

CGroups Examples:
— cpu-shares
— cpuset-cpus
— memory-reservation
— kernel-memory
— blkio-weight (block IO)
— device-read-iops
— device-write-iops

For more information on this topic listen recorded session here.

Thankfully AWS EKS and other AWS container services are security hardened and therefore cannot be mis-used by essential container constructs.

Top comments (0)