State of Container Security -...
Transcript of State of Container Security -...
![Page 1: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/1.jpg)
State of Container Security
Dan Walsh @rhatdan
![Page 2: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/2.jpg)
Please Stand
![Page 3: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/3.jpg)
Please read out loud all
text in RED
![Page 4: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/4.jpg)
I Promise
![Page 5: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/5.jpg)
To say Make a copyRather than
Make a Xerox
![Page 6: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/6.jpg)
I Promise
![Page 7: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/7.jpg)
To say Tissue
Rather than Kleenex
![Page 8: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/8.jpg)
I Promise
![Page 9: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/9.jpg)
To say Container Registries
Rather than Docker registries
![Page 10: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/10.jpg)
I Promise
![Page 11: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/11.jpg)
To say Container Images
Rather than Docker images
![Page 12: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/12.jpg)
Je promets
![Page 13: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/13.jpg)
DireLes conteneurs
Plutôt queDocker Containers
![Page 14: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/14.jpg)
Sit Down
![Page 15: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/15.jpg)
Dan Quiote
![Page 16: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/16.jpg)
boucle d'or&
les trois bières
![Page 17: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/17.jpg)
Goldylocks &
The Three Beers
![Page 19: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/19.jpg)
![Page 20: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/20.jpg)
![Page 21: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/21.jpg)
![Page 22: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/22.jpg)
No one turns up security
![Page 23: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/23.jpg)
No one turns up security
● How many of you have ever done ○ podman run --cap-drop capability ...
![Page 24: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/24.jpg)
No one turns up security
● How many of you have ever done ○ podman run --cap-drop capability ...
● How many of you have ever done○ podman run --privileged …
![Page 25: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/25.jpg)
No one turns up security
● How many of you have ever done ○ podman run --cap-drop capability ...
● How many of you have ever done○ podman run --privileged …
● People turn down security… Sadly setenforce 0
![Page 26: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/26.jpg)
No one turns up security
● How many of you have ever done ○ podman run --cap-drop capability ...
● How many of you have ever done○ podman run --privileged …
● People turn down security… Sadly setenforce 0● How do I get users to move from ...
![Page 27: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/27.jpg)
![Page 28: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/28.jpg)
#nobigfatdaemons
![Page 29: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/29.jpg)
OCI Images format
![Page 30: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/30.jpg)
OCI Images format
Container Engines
![Page 31: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/31.jpg)
OCI Images format
Container EnginesHumans & Orchestators
![Page 32: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/32.jpg)
OCI Images format
Container EnginesHumans & Orchestators
![Page 33: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/33.jpg)
![Page 34: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/34.jpg)
![Page 35: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/35.jpg)
Limiting the power of root: Capabilities
● Allow 14 out of 37 Linux Capabilities by default.
![Page 36: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/36.jpg)
Limiting the power of root: Capabilities
● Allow 14 out of 37 Linux Capabilities by default.● Originally defined by upstream Docker Project
![Page 37: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/37.jpg)
Limiting the power of root: Capabilities
● Allow 14 out of 37 Linux Capabilities by default.● Originally defined by upstream Docker Project● Do you know what they are?
![Page 38: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/38.jpg)
Limiting the power of root: CapabilitiesAUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD,
NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID,
SYS_CHROOT
![Page 39: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/39.jpg)
Limiting the power of root: CapabilitiesAUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD,
NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID,
SYS_CHROOT
![Page 40: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/40.jpg)
Limiting the power of root: CapabilitiesAUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD,
NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID,
SYS_CHROOT
![Page 41: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/41.jpg)
Limiting the power of root: CapabilitiesAUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD,
NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID,
SYS_CHROOT
![Page 42: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/42.jpg)
Limiting the power of root: CapabilitiesAUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD,
NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID,
SYS_CHROOT
![Page 43: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/43.jpg)
Limiting the power of root: CapabilitiesAUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD,
NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID,
SYS_CHROOT
DEMO
![Page 44: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/44.jpg)
New Idea: Image Developer Specifies CapabilitiesAllow images to specify Capabilities as Image Annotations/Labels
Annotation/Label
LABEL “io.containers.capabilties=SETUID,SETGID”
![Page 45: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/45.jpg)
New Idea: Image Developer Specifies CapabilitiesAllow images to specify Capabilities as Image Annotations/Labels
Annotation/Label
LABEL “io.containers.capabilties=SETUID,SETGID”
Defaults: AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT
![Page 46: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/46.jpg)
New Idea: Image Developer Specifies CapabilitiesAllow images to specify Capabilities as Image Annotations/Labels
Annotation/Label
LABEL “io.containers.capabilities=SETUID,SETGID”
Defaults: AUDIT_WRITE, CHOWN, DAC_OVERRIDE, FOWNER, FSETID, KILL, MKNOD, NET_BIND_SERVICE, NET_RAW, SETFCAP, SETGID, SETPCAP, SETUID, SYS_CHROOT
Container engine launches container with only SETGID, SETUID
![Page 47: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/47.jpg)
![Page 48: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/48.jpg)
Every Container Runtime CVE container breakout was a file system breakout.
CVE-2015-3629 Symlink traversal on container respawn allows local privilege escalation
SELinux BlockedCVE-2015-3627 Insecure opening of file-descriptor 1 leading to privilege escalation
SELinux BlockedCVE-2015-3630 Read/write proc paths allow host modification & information disclosure
SELinux BlockedCVE-2015-3631 Volume mounts allow LSM profile escalation
SELinux BlockedCVE-2016-9962 RunC Exec Vulnerability
SELinux Blocked
![Page 49: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/49.jpg)
SELinux Goldilocks
What happens In Vegas stays
in Vegas!
![Page 50: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/50.jpg)
SELinux Confinement● SELinux has blocked almost every Docker breakout so far● Best tool to protect the file system from container escape.● Allow container all access within container
○ Allow all capabilities■ Let Linux capabilities controls them
○ Allow all network access■ Let VPN and Firewall rules control
![Page 51: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/51.jpg)
Problems with SELinux Confinement● Volumes
○ Expose parts of OS Into Containers○ Relabel content “z”, “Z”
■ podman run -v /var/lib/db:/var/lib/mariadb:Z mariadb■ podman run -v /var/log:/var/log:Z fluentd
● Bad idea, host apps will break● podman run --security-opt label=disabled
![Page 52: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/52.jpg)
Moving toward Mama Bear without disabling SELinux Separation
https://github.com/containers/udica
1. Examines container configuration2. Generate SELinux policy
○ Allowing access volume types
Devconf.CZ TalkCustom SELinux container policies in OpenShift Sunday, January 26 • 11:00am - 11:55am
![Page 53: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/53.jpg)
Moving toward Papa Bear
https://github.com/containers/udica
1. Enables SELinux capability controls 2. Enables Network controls
![Page 54: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/54.jpg)
Limiting the communications with the KernelProcesses communicate with the kernel via SYSCALLS
SECCOMP Filters protect
/usr/share/containers/seccomp.json
● Allows 300 Linux Syscalls out of approximately of 450● Eliminates all 32 bit syscalls● Can we do better?
![Page 55: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/55.jpg)
Limiting the communications with the Kernel“The high number of available syscalls is essential to support as many containers as possible but according to Aqua Sec, most containers require only 40 to 70 syscalls.“
https://podman.io/blogs/2019/10/15/generate-seccomp-profiles.html
![Page 56: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/56.jpg)
Limiting the communications with the Kernel
● Oci-seccomp-bpf-hook○ https://github.com/containers/oci-seccomp-bpf-hook○ Generate seccomp profile, tracing syscalls made by container.
Devconf.CZ TalkGenerate seccomp profiles for containers using bpfSaturday, January 25 • 5:00pm - 5:25pm
DEMO
![Page 57: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/57.jpg)
How do we ship/use generated seccomp rules by default?
New Idea:
● Devloper of container image writes seccomp.json○ Package it up into container image
● LABEL “io.containers.seccomp=/seccomp.json”● Iff container image seccomp.json is subset of default
seccomp.json ○ Container engine applies image seccomp.json
automatically.Default seccomp.json
Imageseccomp.json
![Page 58: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/58.jpg)
User Namespace Security● Allows us to run containers as non-root
○ Rootless Podman○ Rootless Buildah
● Rootless Builds inside container launched by Podman or CRI-O/Kubernetes
● Issue network distibution of /etc/subuid & /etc/subgid○ We are making progress on this, potential sssd solution.
![Page 59: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/59.jpg)
User Namespace Security● Sadly still no one uses it for container separation
podman run --usermap 0:100000:5000 …podman run --usermap 0:200000:5000 …
● Guarantee different user namespace for each container● Still no Kubernetes support● Lack of file system support
○ We are getting better with chown■ Parallel chown shows promise
○ Shifting file system is moving forward
![Page 60: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/60.jpg)
User Namespace SecurityPossible Solution
● podman run --userns=auto○ Podman automatically picks different User Namespace per
Container, guaranteeing uniqueness.○ Similar to what we do with SELinux○ Allow administrator to turn this on by default
● Add similar feature to Kubernetes/CRI-O○ Still have difficulty or chowning volumes to match User
Namespace
![Page 61: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/61.jpg)
Containers.conf● Allow distributions/Administrators & Users to set default settings for
containers.○ /usr/share/containers/containers.conf○ /etc/containers/containers.conf○ $HOME/.config/containers.conf
● Including Default Capabilities.○ Eliminate questionable Capabilities
● Default to allowing ping within your containers with sysctl○ Default_sysctls
![Page 62: State of Container Security - people.redhat.compeople.redhat.com/.../fev2020/StateofContainerSecurity.pdfSELinux has blocked almost every Docker breakout so far Best tool to protect](https://reader036.fdocuments.net/reader036/viewer/2022062920/5f02abd17e708231d4056d71/html5/thumbnails/62.jpg)
Recommended Container Engine TalksFri 12:30pm - Container Security BOF - what's next?Fri 1:30pm - Understanding Container Engines by Demo™ ySat 10:30am - Podman, Buildah, Skopeo, and CRI-O A Year LaterSat 12:30pm - Finding, Building, Sharing & Deploying Containers Sat 2:30pm - Building multi-arch container images with buildah Sat 4:30pm - From Terminal to Container: Tracing Podman RunSat 5:00pm - Generate seccomp profiles for containers using bpfSun 10:00am - Kubernetes BOF Josh BerkusSun 11:00am - Custom SELinux container policies in OpenShiftSun 12:00pm - OCP+Fedora+VirtualKubelet+RPI3+Podman = Fun^2!Sun 1:00pm - Containers Birds of a Feather