3. Docker Introduction
» Started in 2013
» Written in Go
» Very active codebase (~ 33,000 commits & 44,000 stars )
» Lots of interest from Big Tech Co’s ( e.g. Google/Microsoft/RedHat/IBM )
» Delivering Containers as a Service ( e.g. AWS/GKE/Azure/Aliyun )
» More quickly and flexibility than traditional virtualization
7. Namespaces
Control what a process can see
» PID
» Mount
» Network
» UTS
» IPS
» User
Namespaces & Cgroups
Cgroups
Control what a process can use
» Memory
» CPU
» Devices
» Blkio
» Net_prio
» Freezer
» …
8. Capabilities
Break up the monolithic root privilege
» Useful for commands that need one privilege
» Docker drops all capabilities except those needed
» By default, a container own only 14 of 37 capabilities
» Docker supports the addition and removal of capabilities
» --privileged flag will give extended privileges to the container
Kernel Capabilities
9. Seccomp
Control the system calls that a
process can make
The default seccomp profile
provides a sane default for
running containers with
seccomp and disables around 44
system calls out of 300+
Seccomp & Kernel Modules
MAC
Give fine grained control to restrict
access to system resources
» AppArmor
» SELinux
» GRSEC
» TOMOYO
» …
10. “OK, OK, We have known that docker
is secure. But how to hack docker?
Please show us the exploit.”
20. What privileged flag do
» Set empty process label
» Warn of incompatibility with user namespaces
» Add all host devices from /dev
» Add device cgroup access rwm allow
» Add all capabilities
» Clear read only flag for /sys mount
» Set read only paths to nil (*specs.Spec).Linux.ReadonlyPaths = nil
» Set masked paths to nil (*specs.Spec).Linux.MaskedPaths = nil
» Clear read only flag for cgroup mount
» Set app armor profile "unconfined"