Linux Security and Isolation APIs Fundamentals
This workshop provides an introduction to the low-level Linux features—set-UID/set-GID programs, capabilities, and namespaces, cgroups (control groups), seccomp—used to implement privileged applications and build container, virtualization, and sandboxing technologies. The workshop will equip participants with the knowledge needed to understand, design, develop, and troubleshoot such applications.
Classical Privileged Programs
- Process credentials
- Set-user-ID and set-group-ID programs
- Changing process credentials
- Process and file capabilities
- Setting and viewing file capabilities
- Text form capabilities
- Capabilities and execve()
- Root, UID transitions, and capabilities (*)
- Programming with capabilities (*)
- Namespace types
- UTS namespaces
- Namespace APIs and commands
- Mount Namespaces and shared subtrees
- PID namespaces
- Creating a child process in a new namespace: clone()
- Entering a namespace: setns()
- Creating a namespace: unshare()
- PID namespaces idiosyncrasies (*)
- Overview of user namespaces
- Creating and joining a user namespace
- User namespaces: UID and GID mappings
- User namespaces, execve(), and user ID 0
- Combining user namespaces with other namespaces
- User namespaces and capabilities
- What does it mean to be superuser in a namespace?
Cgroups (Control Groups) Version 2
- What are cgroups?
- Example: the pids controller
- Cgroups v2 controllers
- Enabling and disabling controllers
- Organizing cgroups and processes
- Additional features (release notification; delegation; thread mode) (*)
- Differences between cgroups v1 and v2 (*)
- The BPF virtual machine and BPF instructions
- BPF filter return values
- Checking the architecture
- Discovering the system calls made by a program
- Productivity aids (libseccomp)
The primary audience comprises designers and programmers building privileged applications, container applications, and sandboxing applications. Systems administrators and DevOps engineers who are managing such applications are also likely to find the workshop of benefit.
The workshop consists of a mixture of presentations coupled with practical exercises that allow participants to apply the knowledge learned in the presentations.
Participants should be familiar with fundamental systemprogramming topics such as file I/O using system calls, signals,and the system calls that define the lifecycle of a process(<em>fork()</em>, <em>execve()</em>, <em>wait()</em>, <em>exit()</em>).For a refresher on these topics, you can download thecourse materials available at https://man7.org/training/spboot/.In addition, participants should have a reading knowledge of the Cprogramming language. (Note, however, that the practical sessions do notrequire writing C programs.)
You'll need a laptop with Linux installed—either as a native install or inside a virtual machine (VM). In the latter case, you should ensure that the VM has working Internet access. You should ensure that you have a fairly recent Linux distribution.
Michael Kerrisk is a programmer, writer, and trainer who has a passion for investigating and explaining software systems. He is the author of "The Linux Programming Interface", a widely acclaimed book on Linux (and UNIX) system programming. He has been actively involved in the Linux development community since 2000, operating mainly in the area of testing, design review, and documentation of kernel-user-space interfaces. Since 2004, he has maintained the Linux "man-pages" project, which provides the primary documentation for Linux system calls and C library functions. Michael is a New Zealander, living in Munich, Germany, from where he operates a training business (man7.org) providing low-level Linux programming courses in Europe, North America, and occasionally further afield.