Notes - MCS
Secure Execution Environments
Notes - MCS
Secure Execution Environments
  • Secure Execution Environments
  • Introduction
    • Trusted Computing Base (TCB)
    • TEE (Trusted Execution Environment)
    • Can you trust the operating system?
  • Security in Operating Systems
    • Operating system
    • Virtual machines and hypervisors
    • Computational model
    • Access control
    • Protection with capabilities
    • Unix file protection ACLs
    • Windows NTFS file protection
    • Unix file protection ACLs
    • Privilege elevation
    • Privilege reduction
    • Linux login
  • Virtualization on Intel Processors
    • Modes of Operation
    • Virtual memory
    • How to put assembly instructions inside C code
    • A more elaborate example
    • Useful assembly instructions
  • Intel Software Guard Extensions
    • What is SGX (Software Guard eXtensions)?
    • SGX Enclave Memory
    • Guidelines for designing applications using SGX
    • Performance Overhead
    • SDK compilation modes
    • Writing Enclave Functions
  • ARM TrustZone
    • SoC and IP
    • ARM TrustZone
    • Worlds
    • Architecture
    • TrustZone bootstrap
  • Linux Kernel Namespaces
    • Namespaces
    • Advantages
    • Process Namespace
    • Network namespace
    • Mount namespace
    • UTS namespace
    • User namespace
  • LXC Linux Containers
    • Container
    • LXC containers
  • AppArmor
    • Purpose
    • Enforcement
    • Benefits
    • Attack prevention
    • Enforcement policies
    • Enforcement modes
    • Logging and auditing
    • Profiles
  • TPM (Trusted Platform Module)
    • Trusted Platform Module (TPM)
    • History
    • Cryptographic Concepts
    • Use cases
    • TPM Software Stack (TSS)
    • TPM concepts
    • Entities
    • Key management
    • Restrict signatures
    • Sessions
    • Authorization roles
  • Bootstrap security
    • AEGIS
    • Trusted computing
    • Root of Trust Measurements
    • Trusted Computing Platform Alliance (TCPA)
    • TPM-based attestation
    • Trusted Platform identity credentials
    • UEFI (Unified Extensible Firmware Interface)
    • NSA Boot Security
    • UEFI secure boot & TPM measurements
    • Intel Trusted Execution Technology (TXT)
    • Smartcards
      • Java Cards
      • OpenCard Framework (OCF)
      • Cryptographic services
Powered by GitBook
On this page
  1. Linux Kernel Namespaces

Mount namespace

Last updated 10 months ago

Mount namespaces provide isolation of the list of mount points seen by the processes in each namespace instance. The processes in each of the mount namespace instances will see distinct single-directory hierarchies.

The views provided by the /proc/[pid])/mounts, mountinfo, and mountstats files correspond to the mount namespace in which the process with the PID [pid] resides.

If a namespace is created using a clone, the mount point list of the child's namespace is a copy of the mount point list in the parent's namespace. If it is created using unshare, the mount point list of the new namespace is a copy of the mount point list in the caller's previous mount namespace.

A file system includes many mounts.

  • Namely / is usually mounted on a storage device.

A new mount namespace allows processes in inner namespaces to change mount points without affecting outer namespaces.

This is beneficial to mount entire file systems to different devices or even files.