Namespacing and Stacking the LSM

This proposal has been rejected.


One Line Summary

Making Linux Security Modules available to containers.


Containers would like to be able to make use of Linux Security
Modules (LSMs), from providing more complete system virtualization
to improving container confinement. To date containers access to the
LSM has been limited but there has been work to change the situation.

This presentation will discuss the current state of LSM namespacing
and stacking. The work being done on various security modules to
support namespacing, the infrastructure work being done to improve the
LSM, followed by an examination of the remaining problems.


security, container, namespacing

Presentation Materials



  • John Johansen



    John Johansen began working with open source software in the late 80s and began playing with Linux in 93. He completed a masters in mathematics at the University of Waterloo and the began working for Immunix doing compiler hardening, and then AppArmor. After Immunix was acquired by Novell he began working on Suse Linux and in 2009 he joined Canonical as a kernel engineer. He is currently employed by Canonical as a security engineer with a primary focus on supporting the AppArmor project.

  • New zealand photos 664 - copy


    Casey Schaufler worked on Unix kernels in the 1970s-90s. He has implemented access control lists, mandatory access control, extended filesystem attributes, X11 access controls, network protocols and more audit systems than is really healthy. His involvement in Linux began with the Linux Security Module work at the turn of the century, introducing the Smack LSM in 2007. Casey is reworking the LSM infrastructure to support multiple concurrent modules. He has spoken at LCA, OLS, and many venues.