diamond_fulldiamonddiamond_halfdiamond_eurosearch-iconmenuchat-iconclose-iconenvelope-iconsmartphone-call-icon

Themen

container

preview-image for Kubescale Title Image

Kubernetes RBAC: Paths for Privilege Escalation

17. Juli, 2023 #kubernetes #cloud #container #attacks

Kubernetes is a widely used open-source container orchestration system that helps to reduce workloads when dealing with container management in distributed systems. Its built-in authorization module is enabled by default and provides authorization mechanisms that prevent unauthorized access to resources. However, certain permissions enable their subject to escalate their privileges to a potentially Cluster compromising extent.

preview-image for Logo

Linux Container Primitives: cgroup Kernel View and Usage in Containerization

28. Juni, 2022 #linux #container

Disclaimer: The elaboration associated to this subject results from a Master’s thesis created at SCHUTZWERK in collaboration with Aalen University by Philipp Schmied. The previous post of the Linux Container Primitives series explains the internals of the cgroup kernel primitive. The following list shows the topics of all scheduled blog posts. It will be updated with the corresponding links once new posts are being released. An Introduction to Linux Containers Linux Capabilities An Introduction to Namespaces The Mount Namespace and a Description of a Related Information Leak in Docker The PID and Network Namespaces The User Namespace Namespaces Kernel View and Usage in Containerization An Introduction to Control Groups The Network and Block I/O Controllers The Memory, CPU, Freezer and Device Controllers Control Groups Kernel View and Usage in Containerization cgroup Kernel View In the kernel source code, control groups are represented by the cgroup structure defined in linux/cgroup-defs.

preview-image for Logo

Linux Container Primitives: User Namespaces

8. September, 2020 #linux #container

After discussing the PID and network namespaces in Docker, this part of your container series covers one of the most important namespace types in detail – the user namespace. This namespace type introduces mapping user and group IDs and the isolation of capabilities per-namespace. For instance, a process can run with a non-zero UID outside of a user namespace while having a UID of zero in a namespace

preview-image for Logo

Linux Container Primitives: PID and Network Namespaces

24. August, 2020 #linux #container

After discussing the mount namespace and an information leak issue in Docker, this part of your container series illustrates the PID and network namespace types. By creating a PID namespace, the process ID number space gets isolated. Network namespaces can enable processes to have their own private network stack, including interfaces, routing tables and sockets.

preview-image for Logo

Linux Container Primitives: Mount Namespaces and Information Leaks

24. März, 2020 #linux #container

The goal of mount namespaces is to restrict the view of the global file hierarchy by providing each namespace with its own set of mount points. A newly created namespace initially uses a copy of the parent’s mount tree. To add and remove mount points, the mount and umount commands are available. The implementation of these commands had to be modified in order to be aware of namespaces and work in combination with mount namespaces.

preview-image for Logo

Linux Container Primitives: An Introduction to Namespaces

29. Oktober, 2019 #linux #container

Being introduced first in Linux kernel version 2.4.19 in 2002, namespaces define groups of processes that share a common view regarding specific system resources. This ultimately isolates the view on a system resource a group of processes may have, meaning that a process can for instance have its own hostname while the real hostname of the system may have an entirely different value.

preview-image for Logo

Linux Container Basics: Capabilities

27. März, 2019 #linux #container

Disclaimer: The elaboration associated to this subject results from a Master’s thesis created at SCHUTZWERK in collaboration with Aalen University by Philipp Schmied. This post of the Linux Container series provides information regarding required fundamentals: Linux capabilities. The following list shows the topics of all scheduled blog posts. It will be updated with the corresponding links once new posts are being released. An Introduction to Linux Containers Linux Capabilities An Introduction to Namespaces The Mount Namespace and a Description of a Related Information Leak in Docker The PID and Network Namespaces The User Namespace Namespaces Kernel View and Usage in Containerization An Introduction to Control Groups The Network and Block I/O Controllers The Memory, CPU, Freezer and Device Controllers Control Groups Kernel View and Usage in Containerization The traditional way of handling permissions in Linux involves exactly two process types: Privileged and unprivileged processes.

preview-image for Logo

An Introduction to Linux Containers

27. März, 2019 #linux #container

This is the introduction post for the Linux containers blog post series. The following list shows the topics of all scheduled blog posts. It will be updated with the corresponding links once new posts are being released. An Introduction to Linux Containers Linux Capabilities An Introduction to Namespaces The Mount Namespace and a Description of a Related Information Leak in Docker The PID and Network Namespaces The User Namespace Namespaces Kernel View and Usage in Containerization An Introduction to Control Groups The Network and Block I/O Controllers The Memory, CPU, Freezer and Device Controllers Control Groups Kernel View and Usage in Containerization With the steadily growing spread of containerization now and in the future, it becomes increasingly necessary to properly understand the internals and potential security threats resulting from aspects like kernel vulnerabilities, container misconfigurations and wrong use.

Kostenfreies Erstgespräch