This talk will cover the differences between application sandboxes and containers. The most well known sandbox is Chrome, for providing "hard guarantees about what ultimately a piece of code can or cannot do no matter what its inputs are". At its core, the Linux Chrome sandbox uses namespaces along with seccomp and other native features to provide these guarantees. Containers are composed of the same primitives.
Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. The world an attacker might see from inside a very strict container with custom AppArmor/Seccomp profiles greatly differs than that without the use of containers. With namespaces we limit the application from seeing various things such as network, mounts, processes, etc. And with cgroups we can further limit what the attacker can use, be it a large amount of memory, cpu, or even a fork bomb.
This talk will cover all the work being done in this area including but not limited to rootless containers, custom apparmor profiles, seccomp profiling, and the future of container security.
Sign in to add slides, notes or videos to this session