man7.

org
Training and Consulting

Linux Security and Isolation APIs Fundamentals

Course code: M7D-SISINTRO01

This course provides an introduction to the low-level Linux features–

set-UID programs, capabilities, namespaces, control groups (v2), and
seccomp–used to build containers and sandboxing systems.

Audience and prerequisites • An electronic copy of the trainer’s book, The Linux Pro-
The primary audience comprises designers and programmers gramming Interface
building privileged applications, container applications, and • Numerous example programs written by the course trainer
sandboxing applications. Systems administrators who man-
age such applications will also find the course of benefit. Course duration and format
Participants should have working knowledge of the fun-
damental system programming topics covered in the Linux Two days, with around 40% of the course time devoted to
System Programming Essentials (M7D-SPESS01) course. practical sessions.
This includes file descriptors and file I/O, signals, and the
process lifecycle (fork(), exec(), wait(), exit()). In addi- Course inquiries and bookings
tion, participants should have a reading knowledge of the
C programming language. (Note, however, that the course For inquiries about courses and consulting, you can contact
exercises do not require writing any programs.) us in the following ways:

Related courses
• Email: [email protected]
The Linux Security and Isolation APIs (M7D-SECISOL02) • Phone: +49 (89) 2155 2990 (German landline)
course covers the same topics as this course, but in greater
depth.
Prices, dates, and further details
Course materials For course prices, upcoming course dates, and further infor-
• Course books (written by the trainer) that include all slides mation about the course, please visit the course web page,
and exercises presented in the course http://man7.org/training/secisolintro/.

About the trainer

Michael Kerrisk has a unique set of qualifications • He has been actively involved in Linux de-
and experience that ensure that course partici- velopment, working with kernel developers
pants receive training of a very high standard: on testing, review, and design of new Linux
• He has been programming on UNIX systems kernel–user-space APIs.
since 1987 and began teaching UNIX system • Since 2000, he has been the involved in the
programming courses in 1989. Linux man-pages project, which provides the
• He is the author of The Linux Programming manual pages documenting Linux system calls
Interface, a 1550-page book acclaimed as the and C library APIs, and was the project main-
definitive work on Linux system programming. tainer from 2004 to 2021.

http://man7.org/training/ k [email protected] (v2023-05-28 # b2a75a1b) Page 1

 Linux Security and Isolation APIs Fundamentals: course contents in detail

Topics marked with an asterisk (*) may be covered, if time permits.

1. Course Introduction • Namespace types and APIs • User namespaces and capabilities
2. Classical Privileged Programs • What does it mean to be
6. Mount Namespaces and Shared
• A simple set-user-ID program superuser in a namespace?
Subtrees
• Saved set-user-ID and and saved 11. Cgroups: Introduction
• Mount namespaces
set-group-ID
• Shared subtrees • Preamble
• Changing process credentials
• A few guidelines for writing 7. PID Namespaces • What are control groups?
privileged programs 8. Namespaces APIs • An example: the pids controller
• Creating and destroying cgroups
3. Capabilities • API Overview • Populating a cgroup
• Process and file capabilities • Creating a child process in new • Enabling and disabling controllers
• Permitted & effective capabilities namespaces: clone()
• Setting & viewing file capabilities • /proc/PID/ns 12. Cgroups: A Survey of the
• Capabilities-dumb and • Entering a namespace: setns() Controllers
capabilities-aware applications • Creating a namespace: unshare() • The cpu, memory, freezer, and
• Text form capabilities • PID namespaces idiosyncrasies (*) pids controllers
• Capabilities and execve() 9. User Namespaces • Other controllers (*)
• The capability bounding set
• Capabilities and UID transitions • Overview of user namespaces 13. Seccomp (*)
• Summary remarks • Creating and joining a user
• Seccomp filtering and BPF
namespace
4. Capabilities: Further Topics • The BPF virtual machine and
• User namespaces: UID and GID
BPF instructions
• Capabilities, UID 0, and execve() mappings
• BPF filter return values
• Programming with capabilities (*) • User namespaces, execve(), and
• BPF programs
5. Namespaces user ID 0
• Checking the architecture
• Use cases
• An example: UTS namespaces • Productivity aids (libseccomp and
• Combining user namespaces with
• Namespaces commands other tools)
other namespaces
• Namespaces demonstration (UTS • Applications and further
namespaces) 10. User Namespaces and Capabilities information

The following are some of the other courses taught by Michael Kerrisk. Custom courses are also available upon request. Further
details on these and other courses can be found at http://man7.org/training/. For course inquiries please email [email protected] or
phone +49 (89) 2155 2990 (German landline).

Linux Security and Isolation APIs Linux/UNIX System Programming

Course code: M7D-SECISOL02 (4 days) Course code: M7D-LUSP01 (5 days)
Covering topics including control cgroups (cgroups v1 and v2), This course covers the APIs required to build system-level ap-
namespaces (with a deep dive into user namespaces), capabilities, plications on Linux and UNIX systems ranging from embedded
and seccomp (secure computing), this course provides a deep un- processors to enterprise servers. The presentations and practi-
derstanding of the low-level Linux features used to design, build, cal exercises provide participants with the knowledge needed to
and troubleshoot container, virtualization, and sandboxing frame- write complex system, network, and multithreaded applications.
works. [This course is an expanded version of the course described Topics covered include file I/O; signals; process creation and ter-
above.] mination; program execution; multithreaded programming with
POSIX threads; IPC (pipes, FIFOs, shared memory, semaphores,
Building and Using Shared Libraries on Linux and sockets); and I/O multiplexing (poll(), select(), and epoll ).
Course code: M7D-SHLIB03 (2 days)
This course provides a thorough understanding of the process of
designing, building, and using shared libraries on Linux. Topics
covered include: fundamentals of library creation and use; shared
library versioning; symbol resolution; library search order; exe-
cutable and linking format (ELF); dynamically loaded libraries;
controlling symbol visibility; and symbol versioning.

http://man7.org/training/ k [email protected] (v2023-05-28 # b2a75a1b) Page 2