Linux Security and Isolation APIs Essentials course outline

1. Course Introduction
2. Classical Privileged Programs
   • A simple set-user-ID program
   • Saved set-user-ID and saved set-group-ID
   • Changing process credentials
   • A few guidelines for writing privileged programs
3. Capabilities
   • Process and file capabilities
   • Permitted and effective capabilities
   • Setting and viewing file capabilities
   • Text-form capabilities
   • Capabilities and execve()
   • Capabilities and UID transitions
4. Namespaces
   • An example: UTS namespaces
   • Namespaces commands
   • Namespaces demonstration (UTS namespaces)
   • Namespace types and APIs
   • Mount namespaces
   • PID namespaces
5. Namespaces APIs (*)
   • API Overview
   • Creating a child process in new namespaces: clone()
6. User Namespaces
   • Overview of user namespaces
   • Creating and joining a user namespace
   • User namespaces: UID and GID mappings
   • Combining user namespaces with other namespaces
7. User Namespaces and Capabilities
   • User namespaces and capabilities
   • What does it mean to be superuser in a namespace?
8. Cgroups: Introduction
   • Preamble
   • What are control groups?
   • An example: the pids controller
   • Creating, destroying, and populating a cgroup
   • Enabling and disabling controllers
9. Cgroups: Other Controllers (*)
   • The cpu controller
   • The freezer controller

(*) Topics marked with an asterisk will be covered subject to time constraints.

Return to the course overview