Amaç Nedir?
Amaç Access Control sağlamak. Açıklaması şöyle
Namespaces and cgroups provide a basic level of DDOS prevention and limit the attack surface to the host. But in certain scenarios, additional security measures are necessary. In particular, when running workloads and applications from untrusted users on cloud providers.One way to add extra security is through access control.Access control limits the access a container has to the host system, such as which files it can access and which system calls it can make.
Access Control için kullanılan bazı çözümler şöyle
1. AppArmor
Açıklaması şöyle
a mandatory access control system that assigns per-program profiles to restrict the capabilities of individual programs.
2. SELinux - Security-Enhanced Linux
Açıklaması şöyle
another mandatory access control system that provides fine-grained control, but can be complex to set up. It was originally created by the NSA and merged into the Linux kernel in 2003.
3. Seccomp - Secure Computing Mode
Açıklaması şöyle. Yani diğer çözümlere göre daha hafif sıklet
a Linux kernel feature that restricts system calls made by programs, making it a simpler and lightweight alternative to AppArmor and SELinux, useful in situations where only a limited set of system calls need to be restricted.
Açıklaması şöyle. Yani Seccomp her yerde mevcut, diğer çözümleri kurmak gerekiyor
By default, container engines like Docker do not use access control systems, but they can be enabled. seccomp is available on all Linux servers while AppArmor and SELinux are only available on distributions that have them enabled.
Açıklaması şöyle. Burada container denilmiş ancak esas amaç bir uygulamanın belirli bir sistem çağrını yapmasını engellemek
To restrict system calls from containers we can use Seccomp (secure computing mode). Using the Seccomp utility we can limit the syscalls a process/container can make to the Linux kernel.
Şeklen şöyle