From 9b99d6e81c761cf8208a0ae3a17e5bc12084fac7 Mon Sep 17 00:00:00 2001
From: Holger Dengler <dengler@linutronix.de>
Date: Fri, 21 Oct 2016 10:03:14 +0200
Subject: security: namespaces: Add intro slide, other updates

Signed-off-by: Holger Dengler <dengler@linutronix.de>
---
 security/advanced/frm_namespace_container.tex | 90 ++++++++++++++++++++++-----
 1 file changed, 73 insertions(+), 17 deletions(-)

diff --git a/security/advanced/frm_namespace_container.tex b/security/advanced/frm_namespace_container.tex
index 4e53733..c63b6b2 100644
--- a/security/advanced/frm_namespace_container.tex
+++ b/security/advanced/frm_namespace_container.tex
@@ -1,3 +1,34 @@
+% ----------------------------
+\subsubsection{How to isolate Applications}
+
+\begin{frame}[fragile]
+\frametitle{How to isolate Applications}
+\begin{itemize}
+\item System Information via Kernel API
+ \begin{itemize}
+ \item Syscalls
+ \item PseudoFS (e.g. /proc and /sys)
+ \item Filesystem tree
+ \item Network Infrastructure (interfaces, components)
+ \end{itemize}
+\item Namespaces
+ \begin{itemize}
+ \item Reduction of System Scope
+ \item System View Virtualization
+ \end{itemize}
+\item Controlgroup
+ \begin{itemize}
+ \item Partitioning of System Resources (CPU time, Memory, etc.)
+ \end{itemize}
+\item Container
+ \begin{itemize}
+ \item Configuration Tools
+ \item Use Namespaces and Controlgroups
+ \item Application in a Box
+ \end{itemize}
+\end{itemize}
+\end{frame}
+
 % ----------------------------
 \subsubsection{Namespaces}
 
@@ -46,7 +77,7 @@
 \begin{frame}[fragile]
 \frametitle{Linux Containers (LXC)}
 \begin{beamerboxesrounded}[shadow=true]{Start/Stop container:}
-\begin{tiny}
+\begin{scriptsize}
 \begin{verbatim}
 # Start: Better for single commands
 lxc-execute -n cont_name [-f config] /bin/bash
@@ -56,11 +87,11 @@ lxc-start -n cont_name [-f config]
 # Stop container
 lxc-stop -n foo
 \end{verbatim}
-\end{tiny}
+\end{scriptsize}
 \end{beamerboxesrounded}
 
 \begin{beamerboxesrounded}[shadow=true]{Control container:}
-\begin{tiny}
+\begin{scriptsize}
 \begin{verbatim}
 # Pause/resume container (controlling group of processes)
 lxc-freeze -n cont_name
@@ -72,7 +103,7 @@ lxc-monitor -n cont_name
 # Attach to container console
 lxc-console -n cont_name
 \end{verbatim}
-\end{tiny}
+\end{scriptsize}
 \end{beamerboxesrounded}
 \end{frame}
 
@@ -80,9 +111,18 @@ lxc-console -n cont_name
 \begin{frame}[fragile]
 \frametitle{Linux Container (LXC): Configuration I}
 \begin{beamerboxesrounded}[shadow=true]{Networking example:}
-\begin{tiny}
+\begin{scriptsize}
 \begin{verbatim}
+#
+# new hostname for container
+#
 lxc.utsname = myhostname
+
+#
+# Network vistualization
+# - private segment in container
+# - connected via br0 to device network
+#
 lxc.network.type = veth
 lxc.network.flags = up
 lxc.network.link = br0
@@ -90,7 +130,7 @@ lxc.network.name = eth0
 lxc.network.hwaddr = 4a:49:43:49:79:bf
 lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
 \end{verbatim}
-\end{tiny}
+\end{scriptsize}
 \end{beamerboxesrounded}
 \end{frame}
 
@@ -98,14 +138,30 @@ lxc.network.ipv4 = 10.2.3.5/24 10.2.3.255
 \begin{frame}[fragile]
 \frametitle{Linux Container (LXC): Configuration II}
 \begin{beamerboxesrounded}[shadow=true]{Controlgroup example:}
-\begin{tiny}
+\begin{scriptsize}
 \begin{verbatim}
-lxc.cgroup.cpuset.cpus = 0,1
+#
+# new hostname for container
+#
+lxc.utsname = myhostname
+
+#
+# schedule container processes only on CPU 3 and 4
+#
+lxc.cgroup.cpuset.cpus = 3,4
+
+#
+# Deny access to device nodes other than
+# - /dev/null    (c, 1, 3)
+# - /dev/urandom (c, 1, 3)
+# - /dev/sda5    (b, 8, 5)
+#
 lxc.cgroup.devices.deny = a
 lxc.cgroup.devices.allow = c 1:3 rw
-lxc.cgroup.devices.allow = b 8:0 rw
+lxc.cgroup.devices.allow = c 1:9 ro
+lxc.cgroup.devices.allow = b 8:5 rw
 \end{verbatim}
-\end{tiny}
+\end{scriptsize}
 \end{beamerboxesrounded}
 \end{frame}
 
@@ -116,17 +172,17 @@ lxc.cgroup.devices.allow = b 8:0 rw
 \begin{frame}[fragile]
 \frametitle{Container: Summary}
 \begin{itemize}
-\item lightweight virtualization
-\item isolation of applications
-\item hide system resources/configuration
-\item Problems:
+\item Lightweight Virtualization
+\item Isolation of Applications
+\item Hide System Resources/Configuration
+\item Common:
  \begin{itemize}
- \item shared kernel
- \item robustness against attacks
+ \item Shared Kernel
  \end{itemize}
 \item Solution:
  \begin{itemize}
- \item combination of namespaces with Mandatory Access Control (MAC)
+ \item Viewability between Applications
+ \item Sandbox (in combination with MAC)
  \end{itemize}
 \end{itemize}
 \end{frame}
-- 
cgit v1.2.3