There is a lot of work going on in upstream Linux by a number of different entities focused on making containers more featureful. For example, namespaced file capabilities, LSM stacking, namespaced integrity management, user-id shifting filesystems, and perhaps even a `struct container` definition in the kernel proper.
In this talk, I'll cover several of these sorts of container-relevant patchsets that have been proposed in the kernel, including motivating why they are interesting, as well as discussing where the patchsets need to go before being merged to mainline.
10. IMA namespacing
● global policy
● which namespace to pin?
● what about unshare()?
● ima: namespacing IMA audit messages
https://lkml.org/lkml/2017/7/20/905
37. Wireguard
● WireGuard is an extremely simple yet fast and modern
VPN https://www.wireguard.com/
● Allows for transparent encryption between endpoints
41. Kernel Self Protection Project (KSPP)
● Currently ~12 organizations and ~10 individuals
working on
about ~20 technologies
● KSPP focuses on the kernel protecting the kernel from
attack
● More at: https://outflux.net/slides/2017/lss/kspp.pdf