Linux kernel namespaces provide isolated views of kernel resources, such as networking, IPC, and filesystem mounts. Combined with cgroups, namespaces form the basis of Linux containers, a form of lightweight virtualization which shares a single kernel image.
While namespacing support has been implemented for several key kernel resources, security components of the kernel such as LSMs (Linux Security Modules) currently lack namespacing support. This presents many challenges for those wishing to deploy full-system containers, which appear to the user to be operating system instances, but which are in fact subject to global security mechanisms and policies.
In this talk, I'll discuss the work in progress to extend Linux kernel namespacing support to SELinux, to allow full-system containers to load their own individual security policies into an virtualized instance of the SELinux kernel mechanism. This work is based on prototype patches posted by the NSA a few months ago, which I've been extending to cover file labeling support as one of several current TODO items.
We'll discuss how the core SELinux components have been virtualized, the namespacing of xattr-based inode security labels, and future challenges for this project.
James is the maintainer of the Linux security subsystem, and kernel engineer at Oracle.