Hertz: Abusing privileged and unprivileged Linux containers

Posted Jun 2, 2016 14:15 UTC (Thu) by jwildebo (guest, #38479)
In reply to: Hertz: Abusing privileged and unprivileged Linux containers by corsac
Parent article: Hertz: Abusing privileged and unprivileged Linux containers

It also completely ignores the hard work done on using SELinux to help in container security and isolation. I think it is a bit unfair to claim "Linux" in teh title of this paper but looking only at some aspects that are not really universal. It mentions AppArmor, so I guess the author comes from the Debian/Ubuntu side of Linux?

Jan (disclaimer: Red Hat's EMEA Evangelist)

Hertz: Abusing privileged and unprivileged Linux containers

Posted Jun 3, 2016 6:07 UTC (Fri) by drag (guest, #31333) [Link]

Docker is essentially Ubuntu. Specifically Ubuntu 14.04. At least that is the perception. I don't like that personally (as going back to 14.04 feels like time travelling to the bad-old-days), but that is the standard setup.

Hertz: Abusing privileged and unprivileged Linux containers

Posted Jun 4, 2016 5:27 UTC (Sat) by khz (guest, #109129) [Link]

hey, author here. yes, I did *totally* ignore the hard-work being done on SELinux + non-ubuntu/debian based systems. this is nothing against those systems (or for them). in my time as a penetration tester working on container systems, almost every single one I have evaluated was either LXC or Docker, using a debian/ubuntu baseOS, with AppArmor used as the LSM. this paper was very much intended to be 'stories from the trenches', so it represents what I've encountered, and how they can often be insecure by default (or in somewhat subtle ways).

if you know of anyone using RHES / SELinux based containers, feel free to send em my way. I know me and aaron would love to audit them :)