Process based container escape monitoring and resource isolation scheme

The operating system kernel manages the operations and processes of all containers. In case of kernel level vulnerability, the application running in the container will be under the threat of being exploited by attackers, causing security problems that can not be ignored. Attackers use kernel vulnerabilities to launch attacks against containers, which will cause the container to escape, affecting the reliable operation of other containers and the entire host. In this paper, a process based resource isolation and escape monitoring scheme is designed. The container escape is effectively detected through the process namespace, and the access control is realized for the process in the container to read and write the host file and the read-write layer image file. Through the security monitoring system, combined with the designed scheme, the monitoring and alarm are realized to ensure the safe and reliable operation of the container, ensure the security of the intelligent IoT terminal operating system.