:Kernel Space: Authoritative Hooks for Containerization
Kernel Space: Authoritative Hooks for Containerization Mar 27, 2008, 12 :00 UTC (0 Talkback[s]) (3955 reads) (Other stories by Jonathan Corbet)
"The containers developers have what would seem to be a relatively straightforward problem: they would like to control access to devices on a per-container basis. Then containers could safely be granted access to specific devices without compromising the overall security of the system--even if a container has a root-capable process which can create new device files. Implementing this feature has been a longer journey than these developers had imagined, though, with the 'device whitelist' feature being sent around to different kernel subsystems almost like one of those famous garbage barges from years past. A final resting place may have been found, though, and it may signal a change in how some security decisions are made in the kernel in the future..."
