DockerPolicyModules: Mandatory Access Control for Docker Containers
Enrico Bacis, Simone Mutti, Steven Capelli, Stefano Paraboschi
In Proceedings of the 3rd IEEE Conference on Communications and Network Security (CNS)
The wide adoption of Docker and the ability to retrieve images from different sources impose strict security constraints. Docker leverages Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control, to guarantee an effective isolation of containers. In order to increase Docker security and flexibility, we propose an extension to the Dockerfile format to let image maintainers ship a specific SELinux policy for the processes that run in a Docker image, enhancing the security of containers.