
To learn more about Linux containers, including how you can use them to break exploits and contain attackers, watch my corresponding webinar, "Securing Applications with Linux Containers". watch nowIn 2005, Linux took the next step in jailing programs with the development of the Linux container. While there have been a number of container runtimes, Docker popularized this in 2013. I’m a fan of Docker and its offshoot “runc” program, as they make it easy to get your feet wet with containers. I like to show people how easily they can break exploits with containers. Here are a few of the things you can do to a program in a container:
- Drop root capabilities
- Replace the root user with one that doesn’t have root privileges outside the container
- Filter system calls available to the program with seccomp
- Massively reduce the operating system programs available to the attacker
- Apply an AppArmor or SELinux profile specific to the container
- The ability to listen on a TCP or UDP port below 1024
- The ability to override file ownership
- The ability to impersonate other users