Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Containerization has gotten extremely popular in the last 5 years. But, how do containers really work? At the core, they use a few built in OS mechanics.

The first part of a container is the file system. Contains just take a stripped down version of an OS, put it into a compressed file, then open up the file to get the file system. Nothing to interesting or crazy but good to know.

The second tool is a syscall named chroot. This restricts the process to a specific directory to treat it as the / directory.

Chroot restricts access to the rest of the file system but nothing else. Using a command, such as top, still shows all of the process information. The solution for this is using namespaces.

The unshare syscall allows for easy creation of namespaces by creating a restricted view, in terms of processes, network interfaces and mounts.

The setns syscall allows for some customization of namespaces. For instance, two namespaces may want to share network interfaces but not process information.

cgroups (short for control groups) allow for isolation on computer resources, such as memory and CPU. This allows for containers to not be able to hog resources from the computer.

The final main discussion point is Linux Capabilities. In short, capabilities are a collection of powers that make up root permissions, such as using chown or setting the system clock.

Besides this functionality, several pieces of functionality have been added, such as Seccomp and Security Enhanced Linux (SELinux).