man7.org Training and Consulting

Linux Capabilities and Namespaces

Course code: M7D-CAPNS01

This course provides an in-depth exploration of Linux namespaces, which are used in a wide array of virtualization and sandboxing technologies such as Docker, LXC, Flatpak, Firejail, Systemd, and various web browsers. In addition, the course covers the Linux capabilities model, since an understanding of that model is essential to understanding the operation of user namespaces, which are a cor- nerstone of many of the aforementioned applications. Detailed presentations coupled with carefully designed practical exercises provide participants with the knowledge needed to understand, design, develop, and administer such applica- tions.

Audience and prerequisites Course duration and format

The primary audience comprises designers and programmers Two days, with around 40% of the course time devoted to building privileged applications, container applications, and practical sessions. sandboxing applications. Systems administrators who are managing such applications are also likely to find the course Course inquiries and bookings of benefit. Participants should have a good reading knowledge of the For inquiries about courses and consulting, you can contact C programming language and solid programming experience us in the following ways: in a language suitable for completing the course exercises (e.g., C, C++, Go). • Email: [email protected] Course materials • Phone: +49 (89) 2155 2990 (German landline) • A course book (written by the trainer) that includes all Prices, dates, and further details course slides and exercises • A source code tarball containing all of the (many) ex- For course prices, upcoming course dates, and further infor- ample programs written by the trainer to accompany the mation about the course, please visit the course web page, presentation http://man7.org/training/capns/.

About the trainer

Michael Kerrisk has a unique set of qualifica- system programming. tions and experience that ensure that course • He is actively involved in Linux develop- participants receive training of a very high ment, working with kernel developers on standard: testing, review, and design of new Linux • He has been programming on UNIX sys- kernel–user-space APIs. tems since 1987 and began teaching UNIX • Since 2004, he has been the maintainer of man-pages system programming courses in 1989. the Linux project, which pro- • He is the author of The Linux Program- vides the manual pages documenting the ming Interface, a 1550-page book widely Linux kernel–user-space and GNU C library acclaimed as the definitive work on Linux APIs.

http://man7.org/training/ +49 (89) 2155 2990 k [email protected] @mkerrisk Version: 2021-03-01 Page 1  Linux Capabilities and Namespaces: course contents in detail

Topics marked with an asterisk (*) will be covered as time permits.

1. Course Introduction • /proc/PID/ns 2. Privileged Programs • Entering a namespace: setns() • Process credentials • Creating a namespace: unshare() • Set-user-ID and set-group-ID programs • PID namespaces idiosyncrasies • Changing process credentials • ioctl() operations • A few guidelines for writing privileged programs • Namespace lifetime 9. User Namespaces 3. Capabilities • Overview of user namespaces • Process and file capabilities • Creating and joining a user NS • Setting and viewing file capabilities • User namespaces: UID and GID mappings • Text form capabilities • User namespaces, execve(), and user ID 0 • Capabilities and execve(); further capability sets • Security issues • Ambient capabilities • Use cases 4. Capabilities: Further Topics (*) • Combining user namespaces with other • Root, UID transitions, and capabilities namespaces • Making a capabilities-only environment: 10. User Namespaces and Capabilities securebits • User namespaces and capabilities • Programming with capabilities • User namespaces and capabilities revisited 5. Namespaces • Namespaced file capabilities (*) • Namespace types 11. Mount Namespaces: Further Details (*) • UTS namespaces • Peer groups • Namespace APIs and commands • Private mounts • Namespaces, containers, and virtualization • Slave mounts 6. Mount Namespaces and Shared Subtrees • Unbindable mounts • Mount namespaces 12. Network Namespaces (*) • Shared subtrees • Introduction • Bind mounts • Creating and deleting network namespaces 7. Other namespaces • Executing commands inside a network • IPC, cgroup, time, network, and PID namespace namespaces • Virtual networking devices • Connecting namespaces with a veth pair 8. Namespaces APIs • Physical networking devices • API Overview • Using a bridge or switch to connect namespaces • Creating a child process in a new namespace: • Connecting a network namespace to the Internet clone() • Use cases for network namespaces

http://man7.org/training/ +49 (89) 2155 2990 k [email protected] @mkerrisk Version: 2021-03-01 Page 2