http://kernsec.org/wiki/index.php?action=history&feed=atom&title=Linux_Security_Summit_2014%2FAbstracts%2FHallyn 2026-05-07T12:04:44Z Revision history for this page on the wiki MediaWiki 1.36.1 http://kernsec.org/wiki/index.php?title=Linux_Security_Summit_2014/Abstracts/Hallyn&diff=3513&oldid=prev 2014-07-15T16:45:30Z

<p>New page: == Title == Application Confinement with User Namespaces == Presenter == Serge Hallyn &amp; Stéphane Graber, Canonical == Abstract == Application sandboxing using MAC has become common-p...</p> <p><b>New page</b></p><div>== Title ==<br /> <br /> Application Confinement with User Namespaces<br /> <br /> == Presenter ==<br /> <br /> Serge Hallyn &amp; Stéphane Graber, Canonical<br /> <br /> == Abstract ==<br /> <br /> Application sandboxing using MAC has become common-place. SELinux and<br /> AppArmor policies to protect a user from things like browsers and<br /> bittorrent clients are available to most, even if they not as widely<br /> used as we would like. Some people use VMs to sandbox heavyweight<br /> applications, with an obviously greater performance penalty. Pure<br /> container sandboxing eschewed this penalty at the cost of reduced<br /> isolation. Combining container sandboxing with MAC, as was done<br /> by virt-sandbox-service and in default Ubuntu LXC containers,<br /> makes for a terrific tool for sandboxing untrusted applications.<br /> <br /> While privileged containers offer benefits by partially isolating<br /> applications using namespaces and cgroups, a whole new level of<br /> confinement is reached when adding user namespaces. By supporting<br /> creation and use of unprivileged containers by users who have no root<br /> access at all, this level of sandboxing is now more accessible than<br /> ever.<br /> <br /> We will begin by describing user namespaces in general, then proceed<br /> to demonstrate an unprivileged container plus apparmor confining<br /> gui applications.</div>

JamesMorris