Linux Capabilities and Namespaces course outline
- Course Introduction
- Privileged Programs
- Process credentials
- Set-user-ID and set-group-ID programs
- Changing process credentials
- A few guidelines for writing privileged programs
- Capabilities
- Process and file capabilities
- Setting and viewing file capabilities
- Text form capabilities
- Capabilities and execve(); further capability sets
- Ambient capabilities
- Capabilities: Further Topics (*)
- Root, UID transitions, and capabilities
- Making a capabilities-only environment: securebits
- Programming with capabilities
- Namespaces
- Namespace types
- Mount namespaces
- UTS, IPC, cgroup, and network namespaces
- PID namespaces
- Namespaces APIs
- API Overview
- Creating a child process in a new namespace: clone()
/proc/PID/ns- Entering a namespace: setns()
- Creating a namespace: unshare()
- PID namespaces idiosyncrasies
- ioctl() operations
- Namespace lifetime
- User Namespaces
- Overview of user namespaces
- Creating and joining a user NS
- User namespaces: UID and GID mappings
- User namespaces, execve(), and user ID 0
- Security issues
- Use cases
- Combining user namespaces with other namespaces
- User Namespaces and Capabilities
- User namespaces and capabilities
- What does it mean to be superuser in a namespace?
- Namespaced file capabilities (*)
- Mount Namespaces and Shared Subtrees (*)
- Mount namespaces
- Shared subtrees
- Bind mounts
- Peer groups
- Private mounts
- Slave mounts
- Unbindable mounts
- Network Namespaces (*)
- Introduction
- Creating and deleting network namespaces
- Executing commands inside a network namespace
- Virtual networking devices
- Connecting namespaces with a veth pair
- Physical networking devices
- Using a bridge or switch to connect namespaces
- Connecting a network namespace to the Internet
- Use cases for network namespaces
(*) Topics marked with an asterisk may be
covered, if time permits.
Return to the course overview