Security, Namespaces, And Cgroups
Imported from
_research/manual-study-linux/security-isolation.md.
Security, Namespaces, And Cgroups
Status: implemented source-backed volume.
Source Surface
security/security.c: Linux Security Module dispatch implementation.include/linux/lsm_hook_defs.h: LSM hook catalog and macro contract.kernel/capability.c: capability checks and namespace-aware capability helpers.kernel/user_namespace.c: user namespace creation and capability mapping.kernel/nsproxy.c: namespace copy/unshare coordination.kernel/cgroup/cgroup.c: cgroup hierarchy and resource-control model.
LSM Entry Points
security/security.c builds the generic LSM dispatch layer. It includes
linux/lsm_hook_defs.h around lines 122-124 to generate static calls and
active keys for every hook. The hook definition file documents the
LSM_HOOK(return, default, name, args...) pattern around lines 17-27 and then
lists hooks such as capable at line 44, mount hooks around lines 72-74, and
path hooks around lines 90-110.
This means security policy is not bolted onto one syscall. It is a hook lattice spread across object lifecycles.
Capabilities And Namespaces
Linux authority is split between credentials, capabilities, and namespaces.
kernel/capability.c routes checks through helpers such as
ns_capable_common(), ns_capable(), and capable(). Namespace creation and
copying flows through kernel/nsproxy.c and kernel/user_namespace.c.
The design point is authority relative to a namespace. A process can have power inside one namespace without receiving equivalent power in the host namespace.
Cgroups
kernel/cgroup/cgroup.c implements generic process grouping and controller
coordination. Its comments around lines 71-82 describe cgroup_mutex and
css_set_lock as core synchronization boundaries. It builds the controller
array from linux/cgroup_subsys.h around lines 140-151 and maintains the
default hierarchy at line 179.
Cgroups are not only accounting. They are a hierarchy that binds tasks to resource controllers, lifetime notifications, stats, and namespace-visible resource policy.
Control Flow
Security and isolation combine at runtime:
- Credentials and namespace context define who is acting.
- Capabilities answer whether the actor has specific authority in that namespace.
- LSM hooks allow policy modules to accept or deny object operations.
- Cgroups constrain resource usage and expose control files.
- Namespace and cgroup membership affect what the actor can see and consume.
Rust Translation
A Rust kernel/runtime should make authority explicit:
CredentialsandNamespaceRefare required inputs to privileged actions.CapabilitySetis namespace-relative.- LSM-style hooks are typed policy traits with default results.
CgrouporResourceDomainowns limits, stats, membership, and teardown.- APIs should avoid ambient global “is root” checks.
AI-Native Translation
This is the core model for safe agents. Agents need namespace-relative authority, cgroup-like resource domains, LSM-like policy hooks, and auditable capability checks at every tool boundary. The runtime should be able to say: “this agent may write here, network there, spend this much CPU/memory, and only through these hooks.”
Evidence Links
file-notes/linux__security__security.c.mdfile-notes/linux__kernel__cgroup__cgroup.c.md