YoVDO

Improving Container Security with System Call Interception

Offered By: Linux Foundation via YouTube

Tags

Container Security Courses Cybersecurity Courses Linux Courses LXD Courses Seccomp Courses

Course Description

Overview

Save Big on Coursera Plus. 7,000+ courses at $160 off. Limited Time Only!
Explore the intricacies of container security through system call interception in this 50-minute Linux Foundation talk. Delve into the seccomp system call interception mechanism introduced in Linux 5.9, understanding its potential for enhancing container security. Learn about the challenges and proper implementation techniques to avoid time of check/time of use issues. Discover how this technology enables unprivileged containers to perform privileged tasks selectively through a monitoring process. Examine LXD's practical applications of system call interception, including uses for "setxattr," "bpf," "mount," and "mknod" system calls. Gain insights into the innovative approach of intercepting "mount" system calls and replacing them with FUSE mounts. Cover topics such as different container types, seccomp fundamentals, safety concerns, mount and sysinfo operations, and future developments in container security.

Syllabus

Improving Container Security
Different types of containers
Seccomp and system call interception
Safety concerns
mount
sysinfo
What's next?
Questions?


Taught by

Linux Foundation

Tags

Related Courses

Scenario Based LXD/LXC Security
A Cloud Guru
Scenario Based Docker Security
A Cloud Guru
Using Seccomp to Limit the Kernel Attack Surface
Linux Foundation via YouTube
Trace Me if You Can - Bypassing Linux Syscall Tracing
Black Hat via YouTube
Sandboxing Based on SECCOMP for Linux Kernel
Ekoparty Security Conference via YouTube