Getting Towards Real Sandbox Containers

A session at QCon New York 2016

This talk will cover the differences between application sandboxes and containers. The most well known sandbox is Chrome, for providing "hard guarantees about what ultimately a piece of code can or cannot do no matter what its inputs are". At its core, the Linux Chrome sandbox uses namespaces along with seccomp and other native features to provide these guarantees. Containers are composed of the same primitives.

Containers are not going to be the answer to preventing your application from being compromised, but they can limit the damage from a compromise. The world an attacker might see from inside a very strict container with custom AppArmor/Seccomp profiles greatly differs than that without the use of containers. With namespaces we limit the application from seeing various things such as network, mounts, processes, etc. And with cgroups we can further limit what the attacker can use, be it a large amount of memory, cpu, or even a fork bomb.

This talk will cover all the work being done in this area including but not limited to rootless containers, custom apparmor profiles, seccomp profiling, and the future of container security.

About the speaker

This person is speaking at this event.
jessie frazelle

blah blah blah tupperware... linux bio from Twitter

Coverage of this session

Sign in to add slides, notes or videos to this session

Tell your friends!


Date Tue 14th June 2016

Short URL


View the schedule


See something wrong?

Report an issue with this session