Awesome Linux Containers

Awesome

Table of Contents

Foundations

Specifications

Clouds

Operating Systems

Hypervisors

Containers

Sandboxes

Partial Access

Filesystem

Dashboard

Best practices

Security

Tools

Levels of security problems

  1. regular application
  1. system services like cron, ssh
  1. system services like devices, network, filesystems
  1. kernel drivers, network stack, security policies
  1. general like immutable infrastructure

src
src

Technologies for security

Things are better. For example, most modern container technologies can make use of Linux's built-in security tools such as:
AppArmor, SELinux and Seccomp policies;
Grsecurity;
Control groups (cgroups);
Kernel namespaces
src

Sure, you're deploying seccomp, but you can't use selinux inside your container, because the policy isn't per-namespace (?? lxc uses apparmore for each container...)
sVirt - selinux for kvm
src

Major kernel subsystems are not namespaced like:

Devices are not namespaced:

If you can communicate or attack one of these as a privileged process, you can own the system.
src

Another Information Sources