Making the LSM available to containers
stacking and namespacing the LSM
AppArmor security project and Canonical
John Johansen works for Canonical doing kernel related work for the Ubuntu security team.
John Johansen began working with open source software in the late 80s and began playing with Linux in 93. He completed a masters in mathematics at the University of Waterloo and the began working for Immunix doing compiler hardening, and then AppArmor. After Immunix was acquired by Novell he began working on Suse Linux and in 2009 he joined Canonical as a kernel engineer. He is currently employed by Canonical as a security engineer with a primary focus on supporting the AppArmor project.
Containers would like to be able to make use of Linux Security Modules (LSMs), from providing more complete system virtualization to improving container confinement. To date containers access to the LSM has been limited but there has been work to change the situation.
This presentation will discuss the current state of LSM stacking and namespacing. The work being done on various security modules to support namespacing, the infrastructure work being done to improve the LSM, an examination of the remaining problems, and provide a demo of a container leveraging LSM stacking so that the host is using a different security module than that of the container.
- 2018 May 26 10:45
- 30 min
- 155 (Medium)
- openSUSE Conference 2018
- Open Source