DockerPolicyModules: Mandatory Access Control for Docker Containers

Enrico Bacis, Simone Mutti, Steven Capelli, Stefano Paraboschi

In 2015 IEEE Conference on Communications and Network Security (CNS)
Florence, Italy, September 28-30, 2015

Get the paper Cite

The wide adoption of Docker and the ability to retrieve images from different sources impose strict security constraints. Docker leverages Linux kernel security facilities, such as namespaces, cgroups and Mandatory Access Control, to guarantee an effective isolation of containers. In order to increase Docker security and flexibility, we propose an extension to the Dockerfile format to let image maintainers ship a specific SELinux policy for the processes that run in a Docker image, enhancing the security of containers.

@inproceedings{docker-policy-modules,
	author = {E. {Bacis} and S. {Mutti} and S. {Capelli} and S. {Paraboschi}},
	booktitle = {2015 IEEE Conference on Communications and Network Security
	             (CNS)},
	title = {DockerPolicyModules: Mandatory Access Control for Docker containers
	         },
	doi = {10.1109/CNS.2015.7346917},
	location = {Florence, Italy},
	day = {28-30},
	month = {September},
	year = {2015},
}

Poster