Containers
Path Safety in the Trenches
<p>Over the past decade (or three) of container runtimes on Linux, the attacks against container runtimes with the most bang-for-your-buck have generally been filesystem related — often in the form of a confused-deputy style attack. This is aided in part by the sheer number of juicy targets accessible through filesystem APIs such as <code>/proc</code>.</p>
<p>In particular, the past few years have seen quite a few security issues of this form in <a href="https://github.com/opencontainers/runc">runc</a> and other container runtimes — most recently in a set of CVEs published in November 2025 (<a href="https://github.com/opencontainers/runc/security/advisories/GHSA-9493-h29p-rfm2">CVE-2025-31133</a>, <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-qw9x-cqr3-wc7r">CVE-2025-52565</a>, and <a href="https://github.com/opencontainers/runc/security/advisories/GHSA-cgrx-mc8f-2prm">CVE-2025-52881</a>). However, this is far from a container-specific issue. Many Unix programs have historically suffered from similar issues, and the various attempts at resolving it have not really measured up.</p>
<p>This talk will go through the myriad of issues necessary to protect user space programs against these kinds of attacks, completed and ongoing kernel work to try to make these problems easier to resolve, and our experience migrating a container runtime's codebase to a design which emphasises path-safety. In addition, this talk will also include an update on <a href="https://github.com/cyphar/libpathrs">libpathrs</a> (a library intended to make mitigating these attacks much easier for most Linux programs).</p>
Additional information
| Live Stream | https://live.fosdem.org/watch/ua2118 |
|---|---|
| Type | devroom |
| Language | English |
More sessions
| 1/31/26 |
<p>People want to run Java workloads in Linux containers and they want that to work well. Historically, Java has tended to prefer to manage things itself, and without tuning, there have been challenges getting OpenJDK payloads to excel alongside other workloads in container workloads. But that has been changing.</p> <p>This talk will give a high-level overview of the journey that OpenJDK has taken to play nicely with others in a container context (Kubernetes or otherwise), the current ...
|
| 1/31/26 |
<p>In early 2025 we started the process to create the Kubernetes Checkpoint Restore Working Group. In December the working group had its first meeting and in this short presentation I want give an overview why we think it is important to continue the checkpoint restore related work from the last five years in this working group. In addition I want to present the topics the working group hopes to solve in the context of Kubernetes.</p>
|
| 1/31/26 |
<p>Reducing container image size improves security, speeds up cold starts, and cuts network transfer costs. Yet in development workflows, it’s easy to inherit bloated base images or copy templates full of unused tools. To build minimal, production-ready OCI images, we need visibility into what a container actually uses at runtime</p> <p>This talk presents a lightweight method for profiling file access inside containers using <a href="https://docs.ebpf.io/">eBPF</a>, <a ...
|
| 1/31/26 |
<p>We usually think about successful open source in terms of user adoption, level of community contributions, or even vanity metrics like GitHub stars. But what if the success of many of the most popular open source projects in the cloud native ecosystem lies in the ability of external consumers to extend the project in ways the creators didn’t even envision?</p> <p>In this talk we’ll look at the containerd project and its intentionally designed extensibility. These extensible capabilities ...
|
| 1/31/26 |
<p>Reproducing a container image would ideally be just a matter of setting <code>SOURCE_DATE_EPOCH</code> in your build commands or containerfiles. Like most reproducible builds though, that’s just one part of the story. And unfortunately, the other part is <em>not</em> the rest of the sources of non-determinism (and yes, there are quite a few). The most critical part of the story is <em>guaranteeing</em> that anyone can reproduce your container image <em>bit-for-bit</em>, regardless of the ...
|
| 1/31/26 |
<p>Containers are everywhere, whether you run them locally for testing or on a production server, there is always a need to find its logs, metrics to know how much resources are being consumed and whether it is stable or not.</p> <p>In this talk, we will demonstrate an example of how to monitor your Docker Containers using Prometheus and cAdvisor and view the metrics in Grafana to get better observability.</p> <p>It will be an introduction Open Source tools, integration and also an excellent ...
|
| 1/31/26 |
<p>Last year we open sourced a Containerization framework and container CLI tooling to enable developers to create and run Linux container images directly on their Mac in a way that focuses on security and privacy. In this talk, we'll dive into the Containerization framework, describing its foundational role in creating the container CLI which enables users to build, run and deploy Linux containers on Mac. We’ll walk through the architecture, highlight key APIs and discuss why we wrote it in ...
|
