Linux Capabilities and Namespaces course outline

1. Course Introduction
2. Classical privileged Programs
   • A simple set-user-ID program
   • Saved set-user-ID and saved set-group-ID
   • Changing process credentials
   • A few guidelines for writing privileged programs
3. Capabilities
   • Process and file capabilities
   • Permitted and effective capabilities
   • Setting and viewing file capabilities
   • Capabilities-dumb and capabilities-aware applications
   • Text-form capabilities
4. Capabilities and execve()
   • Capabilities and execve()
   • The capability bounding set
   • Inheritable capabilities
   • Summary of process capability sets (so far)
   • Ambient capabilities
   • An alternative summary of process capability sets
   • Summary remarks
5. Capabilities and UID 0
   • Capabilities and UID transitions
   • Capabilities, UID 0, and execve()
   • Making a capabilities-only environment: securebits (*)
6. Programming with capabilities (*)
   • Programming with capabilities
7. Namespaces
   • An example: UTS namespaces
   • Namespaces commands
   • Namespaces demonstration (UTS namespaces)
   • Namespace types and APIS
   • Namespaces, containers, and virtualization
8. Mount Namespaces and Shared Subtrees
   • Mount namespaces
   • Shared subtrees
   • Bind mounts
9. PID Namespaces
   • PID namespaces
10. Other Namespaces
    • IPC namespaces
    • Time namespaces
    • Cgroup namespaces
    • Network namespaces
11. Namespaces APIs
    • API Overview
    • Creating a child process in new namespaces: clone()
    • /proc/PID/ns
    • Entering a namespace: setns()
    • Creating a namespace: unshare()
    • PID namespaces idiosyncrasies
    • Namespace lifetime (*)
12. User Namespaces
    • Overview of user namespaces
    • Creating and joining a user namespace
    • User namespaces: UID and GID mappings
    • Accessing files (and other objects with UIDs/GIDs)
    • Security issues
    • Combining user namespaces with other namespaces
    • Use cases
13. User namespaces, execve(), and user ID 0
• User namespaces, execve(), and user ID 0
14. User Namespaces and Capabilities
    • User namespaces and capabilities
    • What does it mean to be superuser in a namespace?
    • Discovering namespace relationships
    • File-related capabilities (*)
15. User Namespaces and Privileged Programs (*)
    • User namespace "set-UID-root" programs
    • Namespaced file capabilities
16. Mount Namespaces: Further Details (*)
    • Peer groups
    • Private mounts
    • Slave mounts
    • Unbindable mounts
    • Mounting a container filesystem

(*) Topics marked with an asterisk may be covered, if time permits.

Return to the course overview