It's becoming more and more common to take the container approach to develop and deploy applications on embedded Linux devices. But there is always this tension between completely isolating the containerized application from the host operating system and sharing resources with the host OS so that the application can do its job. Namespaces, bind mounts, cgroups, capabilities, seccomp, AppArmor, SELinux, etc. Several technologies are available to isolate and secure applications running inside containers, but it's not that easy to identify the best approach to adopt for a specific situation. This presentation will be a walkthrough of the main technologies to secure containerized applications on embedded Linux devices, providing the audience a good understanding of the trade-offs between those technologies and how they can be leveraged in real-world products.

Talk presented at Embedded Linux Conference 2022