Linux Security Summit 2014/Abstracts/Hallyn
Application Confinement with User Namespaces
Serge Hallyn & Stéphane Graber, Canonical
Application sandboxing using MAC has become common-place. SELinux and AppArmor policies to protect a user from things like browsers and bittorrent clients are available to most, even if they not as widely used as we would like. Some people use VMs to sandbox heavyweight applications, with an obviously greater performance penalty. Pure container sandboxing eschewed this penalty at the cost of reduced isolation. Combining container sandboxing with MAC, as was done by virt-sandbox-service and in default Ubuntu LXC containers, makes for a terrific tool for sandboxing untrusted applications.
While privileged containers offer benefits by partially isolating applications using namespaces and cgroups, a whole new level of confinement is reached when adding user namespaces. By supporting creation and use of unprivileged containers by users who have no root access at all, this level of sandboxing is now more accessible than ever.
We will begin by describing user namespaces in general, then proceed to demonstrate an unprivileged container plus apparmor confining gui applications.