René's URL Explorer Experiment


Title: Linux containers in 500 lines of code

Mail addresses
_@lizzie.io
_@lizzie.io

Generator: Org-mode

direct link

Domain: blog.lizzie.io

authorLizzie Dixon

Links:

rsshttps://blog.lizzie.io/rss.xml
homehttps://blog.lizzie.io/
Container setuphttps://blog.lizzie.io/linux-containers-in-500-loc.html#orgba868eb
contained.chttps://blog.lizzie.io/linux-containers-in-500-loc.html#org39f5223
Namespaceshttps://blog.lizzie.io/linux-containers-in-500-loc.html#org0aee542
Capabiltieshttps://blog.lizzie.io/linux-containers-in-500-loc.html#orga723de6
Dropped capabilitieshttps://blog.lizzie.io/linux-containers-in-500-loc.html#org07e738c
Retained Capabilitieshttps://blog.lizzie.io/linux-containers-in-500-loc.html#orgc6d2b81
Mountshttps://blog.lizzie.io/linux-containers-in-500-loc.html#org00cc412
System Callshttps://blog.lizzie.io/linux-containers-in-500-loc.html#org8504d16
Disallowed System Callshttps://blog.lizzie.io/linux-containers-in-500-loc.html#org141a19c
Allowed System Callshttps://blog.lizzie.io/linux-containers-in-500-loc.html#org8ee812f
Resourceshttps://blog.lizzie.io/linux-containers-in-500-loc.html#org36fcb0f
Networkinghttps://blog.lizzie.io/linux-containers-in-500-loc.html#org65bbba4
nowebhttps://www.cs.tufts.edu/~nr/noweb/
herehttps://blog.lizzie.io/linux-containers-in-500-loc/contained.c
orgmodehttp://orgmode.org/
herehttps://blog.lizzie.io/linux-containers-in-500-loc.org
herehttps://www.gnu.org/licenses/gpl-3.0.en.html
1https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.subverting-capabilities
"Understanding and Hardening Linux Containers"https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf
2https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.turned-off-in-linux
3https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.distros-userns
captainjey on reddit let me know. Thanks!https://www.reddit.com/r/programming/comments/57x26h/linux_containers_in_500_lines_of_code/d8w07vf?context%3D3
4https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.man-clone
5https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.clone-stack-temporary
6https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.pointer-addition-ub
7https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.pidns-sigkill
9https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.setgroups-setresuid
10https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.procfs-write
11https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.execve-setcap-file
12https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap-audit-control-pid-ns
13https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.audit-socket
14https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap-block-suspend
15https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.shocker-c
16https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_fsetid
17https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_ipc_x
18https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_mknod_exploit
19https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_setfcap
20https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_syslog
21https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_sys_boot-usages
22https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap-sys-module
23https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.kmod
24https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.dev-load
25https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_sys_nice
26https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.nice-dos
27https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.kmem-etc
28https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.kmem-etc-mknod
29https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.io-ports
30https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_sys_resource
31https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_sys_resource-spender
32https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.time-travel-attacks
33https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_wake_alarm
34https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.multiple-places
35https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_dac_override-same-functionality
36https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_dac_override-the-only-usage
37https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_sys_pacct
38https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap-ipc-owner
39https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.networking-namespaces
40https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.net-device-initialization
41https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_sys_ptrace
42https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cap_kill
43https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.similar-behaviors
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
44https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.chroot-dynamic-libraries
45https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.escaping-chroot-jail
Brad Spengler, in "False Boundaries and Arbitrary Code Execution"https://forums.grsecurity.net/viewtopic.php?f%3D7&t%3D2522
46https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.unpackaging-containers
Docker's documentationhttps://github.com/docker/docker.github.io/blob/master/engine/security/seccomp.md
default seccomp profilehttps://github.com/docker/docker/blob/b248de7e332b6e67b08a8981f68060e6ae629ccf/profiles/seccomp/default.json
47https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.docker-seccomp-whitelist
48https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.self-setuid
49https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.tiocsti
50https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.kernel-keyring
51https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.ptrace-seccomp
52https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.userfaultfd
53https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.userfaultfd-races
Docker documentation sayshttps://github.com/docker/docker.github.io/blob/master/engine/security/seccomp.md
54https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.perf_event_open
55https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.paranoid-46
56https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.pr_set_no_new_privs
57https://blog.lizzie.io/linux-containers-in-500-loc.html#fn._sysctl
58https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.alloc_hugepages
59https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.bdflush
60https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.create_module
61https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.nfsservctl
62https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.perfctr
63https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.get_kernel_syms
64https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.setup-syscall
65https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.clock_settime
66https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.adjtime
67https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.pci-etc
68https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.quotactl
69https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.ustat
70https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.sysfs
71https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.uselib
72https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.sync_file_range2
73https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.readdir
74https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.kexec-etc
75https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.nice-again
76https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.perfmonctl
77https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.ppc_rtas
78https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.spu_create
79https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.spu_run
80https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.subpage_prot
81https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.utrap_install
82https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.kern_features
83https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.preadv2-etc
84https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.oom-killer-security
There's a very useful document in the kernel tree about ithttps://www.kernel.org/doc/Documentation/cgroup-v1/cgroups.txt
85https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cgroup-namespaces
86https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.1GB-total-userspace
87https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.1GB-total-kmem
88https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.cpu-time
89https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.pids
90https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.blkio
91https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.how-cgroups-works
92https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.lower-hard-limit
93https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.built-in-cgroup-free
94https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.arp-spoofing
95https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.net-prio
1https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.subverting-capabilities
"Linux User Namespaces Might Not Be Secure Enough"https://medium.com/@ewindisch/linux-user-namespaces-might-not-be-secure-enough-a-k-a-subverting-posix-capabilities-f1c4ae19cad#.3lbw4loa7
man 7 user_namespaceshttp://man7.org/linux/man-pages/man7/user_namespaces.7.html
"Understanding and Hardening Linux Containers"https://www.nccgroup.trust/globalassets/our-research/us/whitepapers/2016/april/ncc_group_understanding_hardening_linux_containers-1-1.pdf
2https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.turned-off-in-linux
init/Kconfig:1207@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/init/Kconfig?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1207
3https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.distros-userns
92e575e769cc50a9bfb50fb58fe94aab4f2a2bffhttp://kernel.ubuntu.com/git/ubuntu/ubuntu-xenial.git/commit/?id%3D92e575e769cc50a9bfb50fb58fe94aab4f2a2bff
debian/patches/debian/add-sysctl-to-allow-unprivileged-CLONE_NEWUSER-by-default.patchhttps://anonscm.debian.org/git/kernel/linux.git/tree/debian/patches/debian/add-sysctl-to-disallow-unprivileged-CLONE_NEWUSER-by-default.patch
https://grsecurity.net/test/grsecurity-3.1-4.7.9-201610200819.patchhttps://grsecurity.net/test/grsecurity-3.1-4.7.9-201610200819.patch
{linux} 3.13 add CONFIG_USER_NShttps://bugs.archlinux.org/task/36969
4https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.man-clone
man 2 clonehttp://man7.org/linux/man-pages/man2/clone.2.html
5https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.clone-stack-temporary
6https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.pointer-addition-ub
ISO-9899http://www.iso-9899.info/n1570.html
7https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.pidns-sigkill
man 7 pid_namespaceshttp://man7.org/linux/man-pages/man7/pid_namespaces.7.html
8https://blog.lizzie.io/linux-containers-in-500-loc.html#fn.self-userns-limited
8https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.self-userns-limited
man 7 user_namespaceshttp://man7.org/linux/man-pages/man7/user_namespaces.7.html
9https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.setgroups-setresuid
include/linux/cred.h:95@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/include/linux/cred.h?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n95
10https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.procfs-write
fs/proc/proc_sysctl.c:406@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/fs/proc/proc_sysctl.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n406
11https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.execve-setcap-file
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
12https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap-audit-control-pid-ns
kernel/audit.c:663@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/audit.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n663
13https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.audit-socket
man 7 netlinkhttp://man7.org/linux/man-pages/man7/netlink.7.html
14https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap-block-suspend
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
15https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.shocker-c
An email and description by Sebastian Krahmerhttp://www.openwall.com/lists/oss-security/2014/06/18/4
shocker.chttp://stealth.openwall.net/xSports/shocker.c
16https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_fsetid
17https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_ipc_x
man 2 mlockhttp://man7.org/linux/man-pages/man2/mlock.2.html
mm/mlock.c:27@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/mm/mlock.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n27
18https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_mknod_exploit
19https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_setfcap
Brad Spengler's note in False Boundaries and Arbitrary Code Executionhttps://forums.grsecurity.net/viewtopic.php?f%3D7&t%3D2522
20https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_syslog
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
man 2 sysloghttp://man7.org/linux/man-pages/man2/syslog.2.html
21https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_sys_boot-usages
kernel/reboot.c:280@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/reboot.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n280
kernel/kexec.c:187@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/kexec.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n187
kernel/kexec_file.c:256@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/kexec_file.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n256
22https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap-sys-module
kernel/module.c:931@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/module.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n931
kernel/module.c:3468@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/module.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n3468
kernel/module.c:3759@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/module.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n3759
23https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.kmod
kernel/kmod.c:630@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/kmod.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n630
24https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.dev-load
net/core/dev_ioctl.c:349@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/core/dev_ioctl.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n349
net/core/dev_ioctl.c:381@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/core/dev_ioctl.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n381
25https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_sys_nice
man 2 nicehttp://man7.org/linux/man-pages/man2/nice.2.html
26https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.nice-dos
27https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.kmem-etc
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
28https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.kmem-etc-mknod
man 4 memhttp://man7.org/linux/man-pages/man4/mem.4.html
29https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.io-ports
man 2 iopermhttp://man7.org/linux/man-pages/man2/ioperm.2.html
man 2 ioplhttp://man7.org/linux/man-pages/man2/iopl.2.html
30https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_sys_resource
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
31https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_sys_resource-spender
Brad Spengler agreees in "False Boundaries and Arbitrary Code Execution":https://forums.grsecurity.net/viewtopic.php?f%3D7&t%3D2522
32https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.time-travel-attacks
"Authenticated Network Time Synchronization"https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_dowling.pdf
Selvihttps://www.blackhat.com/docs/eu-14/materials/eu-14-Selvi-Bypassing-HTTP-Strict-Transport-Security-wp.pdf
Malhotra et alhttp://www.cs.bu.edu/~goldbe/NTPattack.html
33https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_wake_alarm
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
"Waking systems from suspend" on LWNhttps://lwn.net/Articles/429925/
34https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.multiple-places
Brad Spengler's "False Boundaries and Arbitrary Code Execution"https://forums.grsecurity.net/viewtopic.php?f%3D7&t%3D2522
Sebastian Krahmer's emailhttp://www.openwall.com/lists/oss-security/2014/06/18/4
35https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_dac_override-same-functionality
36https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_dac_override-the-only-usage
fs/namei.c:316@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/fs/namei.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n316
37https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_sys_pacct
man 5 accthttp://man7.org/linux/man-pages/man5/acct.5.html
man 2 accthttp://man7.org/linux/man-pages/man2/acct.2.html
38https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap-ipc-owner
ipc/util.c:468@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/util.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n468
ipc/shm.c@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/shm.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
ipc/shm.c:869@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/shm.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n869
ipc/shm.c:1081@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/shm.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1081
ipc/sem.c@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
ipc/sem.c:1200@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1200
ipc/sem.c:1289@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1289
ipc/sem.c:1360@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1360
ipc/sem.c:1816@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1816
ipc/msg.c@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/msg.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
ipc/msg.c:445@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/msg.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n445
ipc/msg.c:630@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/msg.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n630
ipc/msg.c:846@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/msg.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n846
ipc/util.c:290@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/util.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n290
ipc/util.c:323@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/util.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n323
ipc/util.c:625@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/util.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n625
ipc/shm.c:654@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/shm.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n654
ipc/sem.c:604@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n604
ipc/msg.c:265@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/msg.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n265
ipc/shm.c:1249@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/shm.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1249
ipc/sem.c:20151@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n2051
ipc/sem.c:1816@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/sem.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#1816
ipc/msg.c:743@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/msg.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n743
ipc/msg.c:1004@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/ipc/msg.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1004
39https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.networking-namespaces
40https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.net-device-initialization
net/core/rtnetlink.c@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/core/rtnetlink.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
net/core/rtnetlink.c:2239@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/net/core/rtnetlink.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n2239
drivers/net/dummy.c:170@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/dummy.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n170
drivers/net/dummy.c:137@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/drivers/net/dummy.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n137
41https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_sys_ptrace
kernel/ptrace.c:1079@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/ptrace.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1079
kernel/ptrace.c:1060@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/ptrace.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1060
kernel/pid.c:459@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/pid.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n459
kernel/pid.c:452@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/pid.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n452
kernel/pid.c:366@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/pid.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n366
42https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cap_kill
kernel/signal.c:972@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/signal.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n972
43https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.similar-behaviors
man 7 capabilitieshttp://man7.org/linux/man-pages/man7/capabilities.7.html
44https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.chroot-dynamic-libraries
Brad Spengler's "False Boundaries and Arbitrary Code Execution"https://forums.grsecurity.net/viewtopic.php?f%3D7&t%3D2522
45https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.escaping-chroot-jail
man 2 chroothttp://man7.org/linux/man-pages/man2/chroot.2.html
46https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.unpackaging-containers
Docker 1.3.2 - Security Advisory {24 Nov 2014}http://www.openwall.com/lists/oss-security/2014/11/24/5
Docker 1.6.1 - Security Advisory {150507}http://www.openwall.com/lists/oss-security/2015/05/07/10
Security issues in LXC (CVE-2015-1331 and CVE-2015-1334)http://www.openwall.com/lists/oss-security/2015/07/22/4
47https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.docker-seccomp-whitelist
48https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.self-setuid
49https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.tiocsti
CVE-2016-7545 -- SELinux sandbox escapehttp://www.openwall.com/lists/oss-security/2016/09/25/1
50https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.kernel-keyring
man 7 keyringshttp://man7.org/linux/man-pages/man7/keyrings.7.html
51https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.ptrace-seccomp
man 2 seccomphttp://man7.org/linux/man-pages/man2/seccomp.2.html
run seccomp after ptracehttps://lkml.org/lkml/2016/6/9/627
93e35ehttps://git.kernel.org/cgit/linux/kernel/git/stable/linux-stable.git/commit/?id=93e35efb8de45393cf61ed07f7b407629bf698ea
52https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.userfaultfd
Documentation/vm/userfaultfd.txt@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/vm/userfaultfd.txt?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
53https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.userfaultfd-races
and linked to his vulnerability and exploithttps://bugs.chromium.org/p/project-zero/issues/detail?id%3D808
Vitaly Nikolenko in his proof-of-concept for CVE-2016-6187https://cyseclabs.com/blog/cve-2016-6187-heap-off-by-one-exploit
Jann Hornhhttps://bugs.chromium.org/p/project-zero/issues/detail?id%3D808
herehttps://cyseclabs.com/exploits/matreshka.c
54https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.perf_event_open
man 2 perf_event_openhttp://man7.org/linux/man-pages/man2/perf_event_open.2.html
kernel/events/core.c:9376@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n9376
kernel/events/core.c:3621@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/events/core.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n3621
kernel/pid.c:459@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/pid.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n459
55https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.paranoid-46
0161028https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id%3D0161028b7c8aebef64194d3d73e43bc3b53b5c66
56https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.pr_set_no_new_privs
Documentation/prctl/no_new_privs.txt@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/prctl/no_new_privs.txt?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
man 2 seccomphttp://man7.org/linux/man-pages/man2/seccomp.2.html
kernel/seccomp.c:340@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/seccomp.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n340
kernel/fork.c:1268@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/fork.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#1268
kernel/fork.c@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/fork.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
57https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr._sysctl
man 2 _sysctlhttp://man7.org/linux/man-pages/man2/_sysctl.2.html
init/Kconfig:1420@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/init/Kconfig?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n1420
58https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.alloc_hugepages
man 2 alloc_hugepageshttp://man7.org/linux/man-pages/man2/alloc_hugepages.2.html
59https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.bdflush
man 2 bdflushhttp://man7.org/linux/man-pages/man2/bdflush.2.html
60https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.create_module
man 2 create_modulehttp://man7.org/linux/man-pages/man2/create_module.2.html
61https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.nfsservctl
man 2 nfsservctlhttp://man7.org/linux/man-pages/man2/nfsservctl.2.html
62https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.perfctr
man 2 syscallshttp://man7.org/linux/man-pages/man2/syscalls.2.html
63https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.get_kernel_syms
man 2 get_kernel_symshttp://man7.org/linux/man-pages/man2/get_kernel_syms.2.html
64https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.setup-syscall
man 2 setuphttp://man7.org/linux/man-pages/man2/setup.2.html
65https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.clock_settime
man 2 clock_settimehttp://man7.org/linux/man-pages/man2/clock_settime.2.html
man 2 clock_settimehttp://man7.org/linux/man-pages/man2/clock_settime.2.html
kernel/time/posix-timers.c:282@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/time/posix-timers.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n282
kernel/time/posix-timers.c:212@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/time/posix-timers.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n212
security/commoncap.c:106@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/security/commoncap.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n106
kernel/time/ntp.c:657@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/kernel/time/ntp.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n657
66https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.adjtime
man 3 adjtimehttp://man7.org/linux/man-pages/man3/adjtime.3.html
67https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.pci-etc
man 2 pciconfig_readhttp://man7.org/linux/man-pages/man2/pciconfig_read.2.html
68https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.quotactl
man 2 quotactlhttp://man7.org/linux/man-pages/man2/quotactl.2.html
69https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.ustat
man 2 ustathttp://man7.org/linux/man-pages/man2/ustat.2.html
70https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.sysfs
man 2 sysfshttp://man7.org/linux/man-pages/man2/sysfs.2.html
71https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.uselib
man 2 uselibhttp://man7.org/linux/man-pages/man2/uselib.2.html
72https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.sync_file_range2
man 2 sync_file_range2http://man7.org/linux/man-pages/man2/sync_file_range2.2.html
73https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.readdir
man 2 readdirhttp://man7.org/linux/man-pages/man2/readdir.2.html
74https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.kexec-etc
man 2 kexec_file_loadhttp://man7.org/linux/man-pages/man2/kexec_file_load.2.html
75https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.nice-again
man 2 nicehttp://man7.org/linux/man-pages/man2/nice.2.html
76https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.perfmonctl
man 2 perfmonctlhttp://man7.org/linux/man-pages/man2/perfmonctl.2.html
77https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.ppc_rtas
man 2 syscallshttp://man7.org/linux/man-pages/man2/syscalls.2.html
78https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.spu_create
man 2 spu_createhttp://man7.org/linux/man-pages/man2/spu_create.2.html
79https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.spu_run
man 2 spu_runhttp://man7.org/linux/man-pages/man2/spu_run.2.html
80https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.subpage_prot
man 2 subpage_prothttp://man7.org/linux/man-pages/man2/subpage_prot.2.html
81https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.utrap_install
man 2 syscallshttp://man7.org/linux/man-pages/man2/syscalls.2.html
82https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.kern_features
man 2 syscallshttp://man7.org/linux/man-pages/man2/syscalls.2.html
arch/sparc/kernel/sys_sparc_64.c:648@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/arch/sparc/kernel/sys_sparc_64.c?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3#n648
83https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.preadv2-etc
man 2 preadv2http://man7.org/linux/man-pages/man2/preadv2.2.html
84https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.oom-killer-security
"Taming the OOM Killer"https://lwn.net/Articles/317814/
"gltext seems to leak memory eventually causing oom-killer to run"https://bugs.launchpad.net/ubuntu/%2Bsource/xscreensaver/%2Bbug/768032
"xscreensaver does not protect the system against its children"https://bugs.launchpad.net/ubuntu/%2Bsource/xscreensaver/%2Bbug/807685
85https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cgroup-namespaces
man 7 cgroup_namespaceshttp://man7.org/linux/man-pages/man7/cgroup_namespaces.7.html
86https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.1GB-total-userspace
Documentation/cgroup-v1/memory.txt@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroup-v1/memory.txt?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
87https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.1GB-total-kmem
Documentation/cgroup-v1/memory.txt@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroup-v1/memory.txt?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
88https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.cpu-time
man 7 cgroupshttp://man7.org/linux/man-pages/man7/cgroups.7.html
89https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.pids
Documentation/cgroup-v1/pids.txt@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroup-v1/pids.txt?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
90https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.blkio
Documentation/cgroup-v1/blkio-controller.txt@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroup-v1/blkio-controller.txt?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
91https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.how-cgroups-works
man 7 cgroupshttp://man7.org/linux/man-pages/man7/cgroups.7.html
92https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.lower-hard-limit
man 2 setrlimithttp://man7.org/linux/man-pages/man2/setrlimit.2.html
93https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.built-in-cgroup-free
Documentation/cgroup-v1/cgroups.txt@c8d2bchttps://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/tree/Documentation/cgroup-v1/cgroups.txt?id%3Dc8d2bc9bc39ebea8437fd974fdbc21847bb897a3
94https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.arp-spoofing
"Cross-Container ARP Poisoning"https://bugs.launchpad.net/ubuntu/%2Bsource/lxc/%2Bbug/1548497
95https://blog.lizzie.io/linux-containers-in-500-loc.html#fnr.net-prio
man 7 cgroupshttp://man7.org/linux/man-pages/man7/cgroups.7.html

Viewport: width=device-width, initial-scale=1

URLs of crawlers that visited me.