Back To Schedule
Wednesday, October 28 • 12:00 - 12:50
Syscall Supervision - Christian Brauner, Canonical

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Unprivileged programs such as containers employing user namespaces are severely restricted by the kernel to protect the host from malicious workloads. This means that certain syscalls are completely off-limits for critical workloads even when a privileged, supervising process such as the container manager can vouch for the safety. To solve this problem in a generic way we extended the Linux kernel to allow for syscall supervision. This means a process such as the container manager can receive notifications about the syscalls of a process running inside the container which remains blocked until the container manager allows it to proceed. In this talk we will look at how syscall supervision works in the kernel and how a container manager can use it to allow unprivileged containers to mount filesystems and create devices it would otherwise not be able to. We will also look at new features built on top of this enabling a container manager to inject and receive file descriptors from another process allowing to open() files for the container it would otherwise not be able to open.

avatar for Christian Brauner

Christian Brauner

Senior Software Engineer, Canonical
Christian Brauner is a kernel developer and maintainer of the LXD and LXC projects currently working at Canonical. He works mostly upstream on the Linux Kernel maintaining various bits and pieces. He is strongly committed to working in the open, and an avid proponent of Free Software... Read More →

Wednesday October 28, 2020 12:00 - 12:50 GMT
Linux Systems Theater