Serge E. Hallyn serge at hallyn.com
Thu Jun 12 21:01:19 PDT 2014

Application confinement with user namespaces

Application sandboxing using MAC has become common-place.  SELinux and
AppArmor policies to protect a user from things like browsers and
bittorrent clients are available to most, even if they not as widely
used as we would like.  Some people use VMs to sandbox heavyweight
applications, with an obviously greater performance penalty.  Pure
container sandboxing eschewed this penalty at the cost of reduced
isolation.  Combining container sandboxing with MAC, as was done
by virt-sandbox-service and in default Ubuntu LXC containers,
makes for a terrific tool for sandboxing untrusted applications.

While privileged containers offer benefits by partially isolating
applications using namespaces and cgroups, a whole new level of
confinement is reached when adding user namespaces.  By supporting
creation and use of unprivileged containers by users who have no root
access at all, this level of sandboxing is now more accessible than
ever.

We will begin by describing user namespaces in general, then proceed
to demonstrate an unprivileged container plus apparmor confining
gui applications.

Serge Hallyn <serge at hallyn.com>
Stéphane Graber <stgraber at ubuntu.com>