Video and slides synchronized, mp3 and slide download available at URL http://bit.ly/2bvQTpB. Jessie Frazelle talks about the differences between application sandboxes and containers. She covers all the work being done in this area including but not limited to rootless containers, custom AppArmor profiles, seccomp profiling, and the future of container security. Filmed at qconnewyork.com. Jessie Frazelle works at Mesosphere.

1. Unprivileged Containers
Jess Frazelle, @jessfraz

2. InfoQ.com: News & Community Site
• 750,000 unique visitors/month
• Published in 4 languages (English, Chinese, Japanese and Brazilian
Portuguese)
• Post content from our QCon conferences
• News 15-20 / week
• Articles 3-4 / week
• Presentations (videos) 12-15 / week
• Interviews 2-3 / week
• Books 1 / month
Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
sandbox-container

3. Presented at QCon New York
www.qconnewyork.com
Purpose of QCon
- to empower software development by facilitating the spread of
knowledge and innovation
Strategy
- practitioner-driven conference designed for YOU: influencers of
change and innovation in your teams
- speakers and topics driving the evolution and innovation
- connecting and catalyzing the influencers and innovators
Highlights
- attended by more than 12,000 delegates since 2007
- held in 9 cities worldwide

4. How do containers help security?
Containers are not going to be the answer to
preventing your application from being
compromised, but they can limit the damage
from a compromise.

5. How do containers help security?
The world an attacker might see from inside a
very strict container with custom
AppArmor/Seccomp profiles greatly differs
than that without the use of containers.

6. Sandboxes Today

7. Chrome
- Seccomp
- Namespaces
- Apparmor
- NOT RUN AS ROOT

8. Containers today
- Namespaces
- Apparmor
- Selinux
- Capabilities Limiting
- Cgroups
- Run as root :(

9. How can we get to sandboxes
with containers?

10. Back to the Basics
A “container” is what we have come to call a
group of namespaces and control groups
applied to a process.

11. Control Groups (cgroups)
Limit what the process can use. Resource
metering and limiting.
Types: memory, CPU, blkio, network, device,
pid..

12. PID Cgroup

13. Namespaces
Limit what the process sees.
Types: pid, net, mnt, uts, ipc, user
Created with clone() or unshare()

14. Net Namespace

15. UTS Namespace

16. IPC Namespace

17. PID Namespace

18. User Namespace

19. Makings of a Sandbox: Containers
- Namespaces
- Apparmor
- Selinux
- Capabilities Limiting
- Cgroups
NOT RUN
AS ROOT

20. POC or GTFO

21. POC or GTFO

22. What is this sorcery?
- User namespaces can be created without
root.
- But only if the {uid,gid}_map is mapped to
the current user creating the namespace.

23. Not Perfect …. yet
- Cgroups devices cannot be created
without CAP_SYS_ADMIN

24. New Hotness: Cgroup Namespace
- In Kernels 4.6+, not
yet released, on RC5
currently
- False prophet to
solve all the
problems, but maybe
in the future.

25. Cgroup Namespace

26. What to look forward to...
- Containers in a multi-tenant environment not run as
root.
- Sane defaults with the ability to customize for a
sandbox experience.
- Better designed user experiences for dealing with
security policies.

27. Resources
https://github.com/docker/docker/issues/17142
http://www.sysdig.org/falco/

28. Watch the video with slide
synchronization on InfoQ.com!
https://www.infoq.com/presentations/
sandbox-container