Path lookup access control for Linux containers
Kernel-based filesystem isolation extension for containers
Kernel-based filesystem isolation is ideal way to ensure isolation always in place during host-container interactions. In our research, we design and implement the first suchan approach that extends the filesystem isolation to dentry objects, by enforcing access control on host-container interactions throughthe filesystem. Our design addresses the fundamental limitation of one-way isolation characterizing today’s container, uses carefully-designed policies to ensure accurate and comprehensive interaction control, and implants the protection into the right kernel location to minimize the performance impact. We verify our approach usingmodel checking, which demonstrates its effectiveness in eliminating the path lookup mis-resolution risk. Our evaluation further shows that our approach incurs negligible overheads.
Please refer to our ccs 2023 paper “Lost along the Way: Understanding and MitigatingPath-Misresolution Threats to Container Isolation” for more details.