SELinux
SELinux (Security-Enhanced Linux) is a mandatory access control system for processes. Linux kernel uses SELinux to protect processes from each other and to protect the host system from its running processes. Processes run as a confined SELinux type that has limited access to host system resources.
Condition that brings SELINUX into action. Check or configure file /etc/selinux/config for possible SELINUX values:
- SELINUX=disabled or
- SELINUX=enforcing or
- SELINUX=permissive
Seccomp
Seccomp stands for secure computing mode.
The seccomp() system call operates on the Secure Computing (seccomp) state of the calling process.*Man page definition
Seccomp limits how processes could use system calls. Seccomp defines a security profile for processes, whitelisting the system calls, parameters and file descriptors they are allowed to use. SecComp defines which system calls should and should not be allowed to be executed by a container. It restricts the calls a process/continer able to make from userspace into the kernel.
Namespaces
The kernel can isolate specific system resources, usually visible to all processes. This is done by placing the resources within a namespace. Inside a namespace, only processes that are members of that namespace can see or utilize those resources. Namespces help apply security restrictions to containers. Below mentioned are major 7 namespaces that help achieve boundaries and restrictions:
- Cgroup — Cgroup root directory
- IPC — Inter Process Communication, POSIX message queues
- Network — Network devices, stacks, ports, etc.
- Mount — Mount points
- PID — Process IDs
- User — User and group IDs
- UTS — Hostname and NIS domain name
Control groups (cgroups)
Control groups partition sets of processes and their children into groups to manage and limit the resources they consume. Control groups place restrictions on the amount of system resources that processes can use. Those restrictions keep one process/container from using too many resources on the host.
- CGroups Examples:
— cpu-shares
— cpuset-cpus
— memory-reservation
— kernel-memory
— blkio-weight (block IO)
— device-read-iops
— device-write-iops
Listen my recorded session here if you want to understand these topics in detail.
1 Comment
xolio
March 11, 2023In an Agile approach a technology roadmap feeds the sprint and grooming processes, providing insight into how the product will travel from start to finish. It makes it easier for development.