BEGIN:VCALENDAR
VERSION:2.0
PRODID:-//pretalx//cfp.all-systems-go.io//ASG2018//F3PHBF
BEGIN:VEVENT
UID:pretalx-ASG2018-178@cfp.all-systems-go.io
DTSTART:20180928T104500Z
DTEND:20180928T110000Z
DESCRIPTION:Modern container engines such as systemd.nspawn and rkt provide
  a means of restricting privilege by limiting Linux capabilities. At Faceb
 ook\, however\, the heterogeneity of services and complexity of libraries 
 running inside the container\, along with our full init system model\, mak
 e determining the set of capabilities that a task uses non-trivial. In thi
 s talk\, we will discuss how we tackled this problem in a performant manne
 r by building Capmond\, a host-level daemon that leverages BPF to monitor 
 capability usage by a process\, and map it reliably to the associated cont
 ainer. Learn about the challenges we faced in making this work on our uniq
 ue infrastructure\, how this compares to known solutions such as auditd\, 
 and how we are leveraging Capmond to build sandboxes around capability usa
 ge\, ssh sessions\, system calls\, and more. Capmond is in the process of 
 being open sourced\, so we'll also talk about how you can use it in your o
 rganization to help monitor your production systemd (nspawn) containers.
DTSTAMP:20260315T020349Z
LOCATION:Loft
SUMMARY:Monitoring Linux Capabilities in the Container using BPF - William 
 Smith
URL:https://cfp.all-systems-go.io/ASG2018/talk/178/
END:VEVENT
END:VCALENDAR