Monday

Room 5

09:00 - 17:00 (UTC+02)

2 Days

Linux Security and Isolation APIs Fundamentals

This workshop provides an introduction to the low-level Linux features - set-UID/set-GID programs, capabilities, and namespaces, cgroups (control groups), seccomp - used to implement privileged applications and build container, virtualization, and sandboxing technologies. The workshop will equip participants with the knowledge needed to understand, design, develop, and troubleshoot such applications.

Linux
Security

Topics

  • Introduction
  • Classical privileged programs
    • Process credentials
    • Set-user-ID and set-group-ID programs
    • Changing process credentials
  • Capabilities
    • Process and file capabilities
    • Setting and viewing file capabilities
    • Text form capabilities
    • Capabilities and execve()
    • Root, UID transitions, and capabilities (*)
    • Programming with capabilities (*)
  • Namespaces
    • Namespace types
    • UTS namespaces
    • Namespace APIs and commands
    • Mount namespaces and shared subtrees
    • PID namespaces
  • Namespaces APIs
    • Creating a child process in a new namespace: clone()
    • /proc/PID/ns
    • Entering a namespace: setns()
    • Creating a namespace: unshare()
    • PID namespaces idiosyncrasies (*)
  • User Namespaces
    • Overview of user namespaces
    • Creating and joining a user namespace
    • User namespaces: UID and GID mappings
    • User namespaces, execve(), and user ID 0
    • Combining user namespaces with other namespaces
    • User namespaces and capabilities
    • What does it mean to be superuser in a namespace?
  • Cgroups (Control Groups) Version 2
    • What are cgroups?
    • Example: the pids controller
    • Cgroups v2 controllers
    • Enabling and disabling controllers
    • Organizing cgroups and processes
    • Additional features (release notification; delegation; thread mode) (*)
    • Differences between cgroups v1 and v2 (*)
  • Seccomp (*)
    • The BPF virtual machine and BPF instructions
    • BPF filter return values
    • Checking the architecture
    • Discovering the system calls made by a program
    • Productivity aids (libseccomp)

Audience

The primary audience comprises designers and programmers building privileged applications, container applications, and sandboxing applications. Systems administrators and DevOps engineers who are managing such applications are also likely to find the workshop of benefit.

Format

The workshop consists of a mixture of presentations coupled with practical exercises that allow participants to apply the knowledge learned in the presentations.

Prerequisites

Participants should be familiar with fundamental system programming topics such as file I/O using system calls, signals, and the system calls that define the lifecycle of a process (fork(), execve(), wait() , exit()). For a refresher on these topics, you can download the course materials available at https://man7.org/training/spess/. In addition, participants should have a reading knowledge of the C programming language. (Note, however, that the practical sessions do not require writing C programs.)

Computer Setup

You'll need a laptop with Linux installed - either as a native install or inside a virtual machine (VM). You should ensure that you have a fairly recent Linux distribution.

Michael Kerrisk

Michael Kerrisk is a programmer, writer, and trainer who has a passion for investigating and explaining software systems. He is the author of "The Linux Programming Interface", a widely acclaimed book on Linux (and UNIX) system programming. He has been actively involved in the Linux development community since 2000, operating mainly in the area of testing, design review, and documentation of kernel-user-space interfaces. Since 2004, he has maintained the Linux "man-pages" project, which provides the primary documentation for Linux system calls and C library functions. Michael is a New Zealander, living in Munich, Germany, from where he operates a training business (man7.org) providing low-level Linux programming courses in Europe, North America, and occasionally further afield.