Linux Security and Isolation APIs Fundamentals course outline

1. Course Introduction
2. Classical Privileged Programs
   • A simple set-user-ID program
   • Saved set-user-ID and saved set-group-ID
   • Changing process credentials
   • A few guidelines for writing privileged programs
3. Capabilities
   • Process and file capabilities
   • Permitted and effective capabilities
   • Setting and viewing file capabilities
   • Capabilities-dumb and capabilities-aware applications
   • Text-form capabilities
   • Capabilities and execve()
   • The capability bounding set
   • Capabilities and UID transitions
   • Summary remarks
4. Capabilities: Further Topics
   • Capabilities, UID 0, and execve()
   • Programming with capabilities (*)
5. Namespaces
   • An example: UTS namespaces
   • Namespaces commands
   • Namespaces demonstration (UTS namespaces)
   • Namespace types and APIS
6. Mount Namespaces and Shared Subtrees
   • Mount namespaces
   • Shared subtrees
7. PID Namespaces
   • PID namespaces
8. Namespaces APIs
   • API Overview
   • Creating a child process in new namespaces: clone()
   • /proc/PID/ns
   • Entering a namespace: setns()
   • Creating a namespace: unshare()
   • PID namespaces idiosyncrasies
9. User Namespaces
   • Overview of user namespaces
   • Creating and joining a user namespace
   • User namespaces: UID and GID mappings
   • User namespaces, execve(), and user ID 0
   • Use cases
   • Combining user namespaces with other namespaces
10. User Namespaces and Capabilities
    • User namespaces and capabilities
    • What does it mean to be superuser in a namespace?
11. Cgroups: Introduction
    • Preamble
    • What are control groups?
    • An example: the pids controller
    • Creating and destroying cgroups
    • Populating a cgroup
    • Enabling and disabling controllers
12. Cgroups: A Survey of the Controllers
    • The cpu, memory, freezer, and pids controllers
    • Other controllers (*)
13. Seccomp (*)
    • Seccomp filtering and BPF
    • The BPF virtual machine and BPF instructions
    • BPF filter return values
    • BPF programs
    • Checking the architecture
    • Productivity aids (libseccomp and other tools)
    • Applications and further information

(*) Topics marked with an asterisk may be covered, if time permits.

Return to the course overview