DockerPolicyModules: Mandatory Access Control for Docker Containers
Enrico Bacis, Simone Mutti, Steven Capelli, Stefano Paraboschi
In Proceedings of the 3rd IEEE Conference on Communications and Network Security (CNS)
The wide adoption of Docker and the ability to retrieve images from different sources impose strict security constraints. Docker leverages Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control, to guarantee an effective isolation of containers. In order to increase Docker security and flexibility, we propose an extension to the Dockerfile format to let image maintainers ship a specific SELinux policy for the processes that run in a Docker image, enhancing the security of containers.
@INPROCEEDINGS{7346917,
author={E. {Bacis} and S. {Mutti} and S. {Capelli} and S. {Paraboschi}},
booktitle={2015 IEEE Conference on Communications and Network Security (CNS)},
title={DockerPolicyModules: Mandatory Access Control for Docker containers},
year={2015},
volume={},
number={},
pages={749-750},
abstract={The wide adoption of Docker and the ability to retrieve images from different sources impose strict security constraints. Docker leverages Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control, to guarantee an effective isolation of containers. In order to increase Docker security and flexibility, we propose an extension to the Dockerfile format to let image maintainers ship a specific SELinux policy for the processes that run in a Docker image, enhancing the security of containers.},
keywords={image retrieval;Linux;telecommunication security;DockerPolicyModule;access control;image retrieval;Linux kernel security facility;Docker security;container security enhancement;Containers;Linux;Kernel;Access control;Virtualization;Proposals},
doi={10.1109/CNS.2015.7346917},
ISSN={},
month={Sep.},}