2015 IEEE Conference on Communications and Network Security (CNS) 2015
DOI: 10.1109/cns.2015.7346917
|View full text |Cite
|
Sign up to set email alerts
|

DockerPolicyModules: Mandatory Access Control for Docker containers

Abstract: The wide adoption of Docker and the ability to retrieve images from different sources impose strict security constraints. Docker leverages Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control, to guarantee an effective isolation of containers. In order to increase Docker security and flexibility, we propose an extension to the Dockerfile format to let image maintainers ship a specific SELinux policy for the processes that run in a Docker image, enhancing the security of co… Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
2
1
1
1

Citation Types

0
17
0
1

Year Published

2017
2017
2023
2023

Publication Types

Select...
6
2
1

Relationship

0
9

Authors

Journals

citations
Cited by 32 publications
(19 citation statements)
references
References 2 publications
0
17
0
1
Order By: Relevance
“…Trustable containers can also utilise inter-container protection mechanisms to improve security, e.g. the approach proposed in [27] protects containers from other malicious containers on the same host. Co-hosting a malicious Virtual Machine (VM) on the same physical host as the intended target VM has been a traditional approach adopted in cloud systems in the past.…”
Section: Definitionmentioning
confidence: 99%
“…Trustable containers can also utilise inter-container protection mechanisms to improve security, e.g. the approach proposed in [27] protects containers from other malicious containers on the same host. Co-hosting a malicious Virtual Machine (VM) on the same physical host as the intended target VM has been a traditional approach adopted in cloud systems in the past.…”
Section: Definitionmentioning
confidence: 99%
“…To keep the security, we have three major solutions: isolation, host hardening, network security, and jail [20]- [22]. In these solutions, isolation is a common solution to enhance the container security [21], [23], [24]. Managers can apply the identifiers to realize the isolation, e.g.…”
Section: B Dockermentioning
confidence: 99%
“…Managers can apply the identifiers to realize the isolation, e.g. containers' namespaces, groups and mandatory access control [24]. Moreover, Bacis et al [24] propose a docker file configuration to Security-Enhanced Linux policy, so that the container security can be improved.…”
Section: B Dockermentioning
confidence: 99%
“…Estes trabalhos apresentam métodos que auxiliam na avaliação de risco de aspectos de segurança [21,19] e desafios quantoà privacidade, governança e conformidade [20]. Entretanto, contemplam superficialmente mecanismos para reforçar a política de controle do gerenciamento de contêineres, imagens e acesso aos recursos do núcleo [22,23,3,24]. Assim, os principais guias e trabalhos específicos, relacionados a segurança para contêineres e que servem de base para este trabalho são: (i) [25], contemplando recomendações, mecanismos de segurança, ataques, ameaças e métodos para garantir a segurança do uso de contêineres no ambiente de produção; (ii) [24], apresentando informações conceituais e estratégias para garantir a segurança na execução de contêineres; e (iii) [26], discutindo boas práticas, vulnerabilidades, riscos relacionados e proposta de soluções.…”
Section: Seguranç a No Uso De Contêineresunclassified