The adoption of Docker containers has revolutionized software deployment by providing a lightweight and efficient way to isolate applications in data centers. However, securing these containers, especially when handli...The adoption of Docker containers has revolutionized software deployment by providing a lightweight and efficient way to isolate applications in data centers. However, securing these containers, especially when handling sensitive data, poses significant challenges. Traditional Linux Security Modules (LSMs) such as SELinux and AppArmor have limitations in providing fine-grained access control to files within containers. This paper presents a novel approach using eBPF (extended Berkeley Packet Filter) to implement a LSM that focuses on file-oriented access control within Docker containers. The module allows the specification of policies that determine which programs can access sensitive files, providing enhanced security without relying solely on the host operating system’s major LSM.展开更多
Here are "pictures" of strange or even mythical animals--a grey mouse, something that looks likea dinosaur or a Chinese dragon, pile of small triangles, the sun or a star, a flag or banner. All these are in neatly a...Here are "pictures" of strange or even mythical animals--a grey mouse, something that looks likea dinosaur or a Chinese dragon, pile of small triangles, the sun or a star, a flag or banner. All these are in neatly arranged small squares, making the photocopy look like a chessboard.展开更多
文摘The adoption of Docker containers has revolutionized software deployment by providing a lightweight and efficient way to isolate applications in data centers. However, securing these containers, especially when handling sensitive data, poses significant challenges. Traditional Linux Security Modules (LSMs) such as SELinux and AppArmor have limitations in providing fine-grained access control to files within containers. This paper presents a novel approach using eBPF (extended Berkeley Packet Filter) to implement a LSM that focuses on file-oriented access control within Docker containers. The module allows the specification of policies that determine which programs can access sensitive files, providing enhanced security without relying solely on the host operating system’s major LSM.
文摘Here are "pictures" of strange or even mythical animals--a grey mouse, something that looks likea dinosaur or a Chinese dragon, pile of small triangles, the sun or a star, a flag or banner. All these are in neatly arranged small squares, making the photocopy look like a chessboard.
