DEV Community

Shweta Vohra
Shweta Vohra

Posted on

Must know — Container Security Constructs: Namespace, SecComp, Control Groups, SELinux

Container Security Constructs


SELinux (Security-Enhanced Linux) is a mandatory access control system for processes. Linux kernel uses SELinux to protect processes from each other and to protect the host system from its running processes. Processes run as a confined SELinux type that has limited access to host system resources.

Condition that brings SELINUX into action. Check or configure file /etc/selinux/config for possible SELINUX values:

  • SELINUX=disabled or
  • SELINUX=enforcing or
  • SELINUX=permissive


Seccomp stands for secure computing mode.

The seccomp() system call operates on the Secure Computing (seccomp) state of the calling process.

*Man page definition

Seccomp limits how processes could use system calls. Seccomp defines a security profile for processes, whitelisting the system calls, parameters and file descriptors they are allowed to use. SecComp defines which system calls should and should not be allowed to be executed by a container. It restricts the calls a process/continer able to make from userspace into the kernel.


The kernel can isolate specific system resources, usually visible to all processes. This is done by placing the resources within a namespace. Inside a namespace, only processes that are members of that namespace can see or utilize those resources. Namespces help apply security restrictions to containers. Below mentioned are major 7 namespaces that help achieve boundaries and restrictions:

  • Cgroup — Cgroup root directory
  • IPC — Inter Process Communication, POSIX message queues
  • Network — Network devices, stacks, ports, etc.
  • Mount — Mount points
  • PID — Process IDs
  • User — User and group IDs
  • UTS — Hostname and NIS domain name

Control groups (cgroups)

Control groups partition sets of processes and their children into groups to manage and limit the resources they consume. Control groups place restrictions on the amount of system resources that processes can use. Those restrictions keep one process/container from using too many resources on the host.

CGroups Options(Examples):

  • — cpu-shares
  • — cpuset-cpus
  • — memory-reservation
  • — kernel-memory
  • — blkio-weight (block IO)
  • — device-read-iops
  • — device-write-iops

Top comments (0)