The adoption of Docker containers has revolutionized software deployment by providing a lightweight and efficient way to isolate applications in data centers. However, securing these containers, especially when handling sensitive data, poses significant challenges. Traditional Linux Security Modules (LSMs) such as SELinux and AppArmor have limitations in providing fine-grained access control to files within containers. This paper presents a novel approach using eBPF (extended Berkeley Packet Filter) to implement a LSM that focuses on file-oriented access control within Docker containers. The module allows the specification of policies that determine which programs can access sensitive files, providing enhanced security without relying solely on the host operating system’s major LSM.
References
[1]
Merkel, D. (2014) Docker: Lightweight Linux Containers for Consistent Development and Deployment. Linux Journal, 2.
[2]
Edge, J. (2019) LSM Stacking and the Future. https://lwn.net/Articles/804906/
[3]
Corbet, J. (2022) Still Waiting for Stackable Security Modules. https://lwn.net/Articles/912775/
[4]
Smalley, S.D., Vance, C. and Slamon, W. (2003) Implementing SELinux as a Linux Security Module.
[5]
App Armor. https://apparmor.net
[6]
Bacis, E., Mutti, S., Capelli, S. and Paraboschi, S. (2015) DockerPolicyModules: Mandatory Access Control for Docker containers. 2015 IEEE Conference on Communications and Network Security (CNS), Florence, 28-30 September 2015, 749-750. https://doi.org/10.1109/CNS.2015.7346917
[7]
MITRE Corporation. CVE Linux Kernel Vulnerability Statistics. https://www.cvedetails.com/product/47/Linux-Linux-Kernel.html?vendor_id=33
[8]
Cutler, C., Kaashoek, M.F. and Morris, R.T. (2018) The Benefits and Costs of Writing a POSIX Kernel in a High-Level Language. 13th USENIX Symposium on Operating Systems Design and Implementation (OSDI 18), 8-10 Oct 2018, Carslbad, 89-105.
[9]
Back, G., et al. (2000) Techniques for the Design of Java Operating Systems. 2000 USENIX Annual Technical Conference, San Diego, 18-23 Jun 2000, 17-20.
[10]
Back, G. and Hsieh, W.C. (2005) The KaffeOS Java Runtime System. ACM Transactions on Programming Languages and Systems, 27,583-630. https://doi.org/10.1145/1075382.1075383
[11]
MSRC Team (2019) Why Rust for Safe Systems Programming. https://msrc.microsoft.com/blog/2019/07/why-rust-for-safe-systems-programming/
[12]
Rosteck, M. (2022) Announcing Lockc: Improving Container Security. https://www.suse.com/c/rancher_blog/announcing-lockc-improving-container-security/
[13]
McCune, R. (2023) Container Security Fundamentals Part 5: AppArmor and SELinux. https://securitylabs.datadoghq.com/articles/container-security-fundamentals-part-5/
[14]
udica-Generate SELinux Policies for Containers! https://github.com/containers/udica
[15]
Custom & Better AppArmor Profile Generator for Docker Containers. https://github.com/genuinetools/bane
[16]
https://github.com/aya-rs/aya
[17]
BPF Maps. https://docs.kernel.org/bpf/maps.html
[18]
[PATCH bpf-next] bpf: Add Small Subset of SECURITY_PATH Hooks to BPF sleepable_lsm_hooks list. https://lore.kernel.org/all/[email protected]/
