Linux Namespaces for Fun and Isolation - Martin Ertsås - NDC Security 2024

Explore Linux Namespaces for Fun and Isolation with Martin Ertsås at NDC Security 2024, covering PID, user, IPC, network, and time namespaces for testing, simulation, and more.

Key takeaways

CAPIS admin privileges are required to create namespaces.
The speaker recommends not sharing objects between namespaces, as permission checks will still apply.
Cross-namespace communication can be established using IPC, message queues, and socket pairs.
Namespaces provide isolation, allowing for testing and simulation of various scenarios.
The speaker uses unshare and clone to create and enter namespaces.
The PID namespace is used to isolate processes and their view of the system.
The user namespace is used to isolate users and groups, managing permissions and capabilities.
The IPC namespace is used to isolate process communication and message queues.
The network namespace is used to isolate network interfaces, routing tables, and IP addresses.
The time namespace is used to isolate the system clock and time tracking.
The speaker uses various tools and techniques to demonstrate the use of namespaces, including pivot_root, setns, and clone_new_time.
The speaker warns against using namespaces without a good understanding of how they work, as they can be complex and have unintended consequences.
Some Linux distributions may have namespaces enabled by default, and the speaker suggests testing the ramifications of using them.
Namespaces are used in various areas, including containerization, sandboxing, and testing.

Linux Namespaces for Fun and Isolation - Martin Ertsås - NDC Security 2024

More talks