Chapter 2. Linux System Calls, Permissions, and Capabilities
In most cases, containers run within a computer running a Linux operating system, and it’s going to be helpful to understand some of the fundamental features of Linux so that you can see how they affect security, and in particular how they apply to containers. I’ll cover system calls, file-based permissions, and capabilities and conclude with a discussion of privilege escalation. If you’re familiar with these concepts, feel free to skip to the next chapter.
This is all important because containers run Linux processes that are visible from the host. A containerized process uses system calls and needs permissions and privileges in just the same way that a regular process does. But containers give us some new ways to control how these permissions are assigned at runtime or during the container image build process, which will have a significant impact on security.
System Calls
Applications run in what’s called user space, which has a lower level of privilege than the operating system kernel. If an application wants to do something like access a file, communicate using a network, or even find the time of day, it has to ask the kernel to do it on the application’s behalf. The programmatic interface that the user space code uses to make these requests of the kernel is known as the system call or syscall interface.
There are some 300+ different system calls, with the number varying according to the version of Linux kernel. ...
Get Container Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
