Linux Security and Isolation APIs course outline

1. Course Introduction
2. Security and Isolation APIs Overview (*)
   • Sandboxing
   • Containers
3. Privileged Programs
   • Process credentials
   • Set-user-ID and set-group-ID programs
   • Changing process credentials
   • A few guidelines for writing privileged programs
4. Capabilities
   • Process and file capabilities
   • Setting and viewing file capabilities
   • Text form capabilities
   • Capabilities and execve(); further capability sets
   • Ambient capabilities
5. Capabilities: Further Topics (*)
   • Root, UID transitions, and capabilities
   • Making a capabilities-only environment: securebits
   • Programming with capabilities
6. Namespaces
   • Namespace types
   • Mount namespaces
   • UTS, IPC, cgroup, and network namespaces
   • PID namespaces
7. Namespaces APIs
   • API Overview
   • Creating a child process in a new namespace: clone()
   • /proc/PID/ns
   • Entering a namespace: setns()
   • Creating a namespace: unshare()
   • PID namespaces idiosyncrasies
   • ioctl() operations
   • Namespace lifetime
8. User Namespaces
   • Overview of user namespaces
   • Creating and joining a user NS
   • User namespaces: UID and GID mappings
   • User namespaces, execve(), and user ID 0
   • Security issues
   • Use cases
   • Combining user namespaces with other namespaces
9. User Namespaces and Capabilities
   • User namespaces and capabilities
   • What does it mean to be superuser in a namespace?
   • User namespace "set-UID-root" programs(*)
   • Namespaced file capabilities (*)
10. Mount Namespaces and Shared Subtrees (*)
    • Mount namespaces
    • Shared subtrees
    • Bind mounts
    • Peer groups
    • Private mounts
    • Slave mounts
    • Unbindable mounts
11. Network Namespaces (*)
    • Introduction
    • Creating and deleting network namespaces
    • Executing commands inside a network namespace
    • Virtual networking devices
    • Connecting namespaces with a veth pair
    • Physical networking devices
    • Using a bridge or switch to connect namespaces
    • Connecting a network namespace to the Internet
    • Use cases for network namespaces
12. Seccomp
    • Introduction and history
    • Seccomp filtering and BPF
    • The BPF virtual machine and BPF instructions
    • Checking the architecture
    • BPF filter return values
    • BPF programs
    • Discovering the system calls made by a program
    • Audit logging of filter actions
    • Caveats
    • Productivity aids (libseccomp and other tools)
13. Cgroups (Control Groups)
    • Introduction to cgroups v1 and v2
    • Cgroups v1: hierarchies and controllers
    • Cgroups v1: populating a cgroup
    • Cgroups v1: release notification
    • Cgroups v1: a survey of the controllers
    • Cgroups /proc files
14. Cgroups Version 2
    • Problems with cgroups v1; rationale for v2
    • Cgroups v2 controllers
    • Enabling and disabling controllers
    • Organizing cgroups and processes
    • Release notification (cgroup.events file)
    • Delegation
15. Cgroups v2 Thread Mode (*)
    • Overview of thread mode
    • Creating and using a threaded subtree

(*) Topics marked with an asterisk may be covered, if time permits.

Return to the course overview