> For the complete documentation index, see [llms.txt](https://davidjosearaujo.gitbook.io/notes-mcs/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://davidjosearaujo.gitbook.io/notes-mcs/identification-authentication-and-authorization/linux-security-mechanisms/confinement.md). # Confinement ## Namespaces Allows partitioning of resources in views (namespaces). * Processes in a namespace have a restricted view of the system. * Activated through syscalls by a simple process: * clone: Defines a namespace to migrate the process to. * unshare: disassociates the process from its current context. * setns: puts the process in a Namespace. Types of Namespaces. * **Mount**: Applied to mount points. * **process id**: first process has id 1. * **network**: "independent" network stack (routes, interfaces...). * **IPC**: methods of communication between processes. * **uts**: name independence (DNS). * **user id**: segregation of permissions. * **cgroup**: limitation of resources used (memory, cpu...). ```bash ## Create netns named mynetns root@vm: ~# ip netns add mynetns ## Change iptables INPUT policy for the netns root@linux: ~# ip netns exec mynetns iptables -P INPUT DROP ## List iptables rules outside the namespace root@linux: ~# iptables -L INPUT Chain INPUT (policy ACCEPT) target prot opt source destination ## List iptables rules inside the namespace root@linux: ~# ip netns exec mynetns iptables -L INPUT Chain INPUT (policy DROP) target prot opt source destination ## List Interfaces in the namespace root@linux: ~# ip netns exec mynetns ip link list 1: lo: mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 100 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ## Move the interface enp0s3 to the namespace root@linux: ~# ip link set enp0s3 netns mynetns ## List interfaces in the namespace root@linux: ~# ip netns exec mynetns ip link list 1: lo: mtu 65536 qdisc noop state DOWN mode DEFAULT group default qlen 100 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: enp0s3: mtu 1500 qdisc noop state DOWN mode DEFAULT... link/ether 08:00:27:83:0a:55 brd ff:ff:ff:ff:ff:ff ## List interfaces outside the namespace root@linux: ~# ip link list 1: lo: mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT... link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 ``` ## Containers Explores namespaces to provide a virtual view of the system. * Network isolation, cgroups, user ids, mounts, etc... Processes are executed under a container. * Container is an applicational construction and not of the core. * Consists of an environment by composition of namespaces. * Requires building bridges with the real system network interfaces, proxy processes. Relevant approaches. * **LinuX Containers**: focus on a complete virtualized environment. * evolution of OpenVZ. * **Docker**: focus on running isolated applications based on a portable packet between systems. * uses LXC. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://davidjosearaujo.gitbook.io/notes-mcs/identification-authentication-and-authorization/linux-security-mechanisms/confinement.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.