Linux Capabilities and Namespaces course outline

1. Course Introduction
2. Classical privileged Programs
   • A simple set-user-ID program
   • Saved set-user-ID and saved set-group-ID
   • Changing process credentials
   • A few guidelines for writing privileged programs
3. Capabilities
   • Process and file capabilities
   • Permitted and effective capabilities
   • Setting and viewing file capabilities
   • Capabilities-dumb and capabilities-aware applications
   • Text form capabilities
   • Capabilities and execve()
   • The capability bounding set
   • Inheritable capabilities
   • Ambient capabilities
   • Capabilities and UID transitions
   • Summary remarks
4. Capabilities: Further Topics
   • Capabilities, UID 0, and execve()
   • Making a capabilities-only environment: securebits (*)
   • Programming with capabilities (*)
5. Namespaces
   • An example: UTS namespaces
   • Namespaces commands
   • Namespaces demonstration (UTS namespaces)
   • Namespace types and APIS
   • Namespaces, containers, and virtualization
6. Mount Namespaces and Shared Subtrees
   • Mount namespaces
   • Shared subtrees
   • Bind mounts
7. PID Namespaces
   • PID namespaces
8. Other Namespaces
   • IPC namespaces
   • Time namespaces
   • Cgroup namespaces
   • Network namespaces
9. Namespaces APIs
   • API Overview
   • Creating a child process in new namespaces: clone()
   • /proc/PID/ns
   • Entering a namespace: setns()
   • Creating a namespace: unshare()
   • PID namespaces idiosyncrasies
   • Namespace lifetime (*)
10. User Namespaces
    • Overview of user namespaces
    • Creating and joining a user namespace
    • User namespaces: UID and GID mappings
    • User namespaces, execve(), and user ID 0
    • Accessing files; file-related capabilities (*)
    • Security issues
    • Use cases
    • Combining user namespaces with other namespaces
11. User Namespaces and Capabilities
    • User namespaces and capabilities
    • What does it mean to be superuser in a namespace?
    • Discovering namespace relationships
    • User namespace "set-UID-root" programs (*)
    • Namespaced file capabilities (*)
12. Mount Namespaces: Further Details (*)
    • Peer groups
    • Private mounts
    • Slave mounts
    • Unbindable mounts
    • Mounting a container filesystem

(*) Topics marked with an asterisk may be covered, if time permits.

Return to the course overview