Skip to content

Security, Namespaces, And Cgroups

Imported from _research/manual-study-linux/security-isolation.md.

Security, Namespaces, And Cgroups

Status: implemented source-backed volume.

Source Surface

  • security/security.c: Linux Security Module dispatch implementation.
  • include/linux/lsm_hook_defs.h: LSM hook catalog and macro contract.
  • kernel/capability.c: capability checks and namespace-aware capability helpers.
  • kernel/user_namespace.c: user namespace creation and capability mapping.
  • kernel/nsproxy.c: namespace copy/unshare coordination.
  • kernel/cgroup/cgroup.c: cgroup hierarchy and resource-control model.

LSM Entry Points

security/security.c builds the generic LSM dispatch layer. It includes linux/lsm_hook_defs.h around lines 122-124 to generate static calls and active keys for every hook. The hook definition file documents the LSM_HOOK(return, default, name, args...) pattern around lines 17-27 and then lists hooks such as capable at line 44, mount hooks around lines 72-74, and path hooks around lines 90-110.

This means security policy is not bolted onto one syscall. It is a hook lattice spread across object lifecycles.

Capabilities And Namespaces

Linux authority is split between credentials, capabilities, and namespaces. kernel/capability.c routes checks through helpers such as ns_capable_common(), ns_capable(), and capable(). Namespace creation and copying flows through kernel/nsproxy.c and kernel/user_namespace.c.

The design point is authority relative to a namespace. A process can have power inside one namespace without receiving equivalent power in the host namespace.

Cgroups

kernel/cgroup/cgroup.c implements generic process grouping and controller coordination. Its comments around lines 71-82 describe cgroup_mutex and css_set_lock as core synchronization boundaries. It builds the controller array from linux/cgroup_subsys.h around lines 140-151 and maintains the default hierarchy at line 179.

Cgroups are not only accounting. They are a hierarchy that binds tasks to resource controllers, lifetime notifications, stats, and namespace-visible resource policy.

Control Flow

Security and isolation combine at runtime:

  1. Credentials and namespace context define who is acting.
  2. Capabilities answer whether the actor has specific authority in that namespace.
  3. LSM hooks allow policy modules to accept or deny object operations.
  4. Cgroups constrain resource usage and expose control files.
  5. Namespace and cgroup membership affect what the actor can see and consume.

Rust Translation

A Rust kernel/runtime should make authority explicit:

  • Credentials and NamespaceRef are required inputs to privileged actions.
  • CapabilitySet is namespace-relative.
  • LSM-style hooks are typed policy traits with default results.
  • Cgroup or ResourceDomain owns limits, stats, membership, and teardown.
  • APIs should avoid ambient global “is root” checks.

AI-Native Translation

This is the core model for safe agents. Agents need namespace-relative authority, cgroup-like resource domains, LSM-like policy hooks, and auditable capability checks at every tool boundary. The runtime should be able to say: “this agent may write here, network there, spend this much CPU/memory, and only through these hooks.”

  • file-notes/linux__security__security.c.md
  • file-notes/linux__kernel__cgroup__cgroup.c.md