Along with the rapid development of cloud computing technology, containerization technology has drawn much attention from both industry and academia. In this paper, we perform a comparative measurement analysis of Docker-sec, which is a Linux Security Module proposed in 2018, and a new AppArmor profile generator called Lic-Sec, which combines Docker-sec with a modified version of LiCShield, which is also a Linux Security Module proposed in 2015. Docker-sec and LiCShield can be used to enhance Docker container security based on mandatory access control and allows protection of the container without manual configurations. Lic-Sec brings together their strengths and provides stronger protection. We evaluate the effectiveness and performance of Docker-sec and Lic-Sec by testing them with real-world attacks. We generate an exploit database with 40 exploits effective on Docker containers selected from the latest 400 exploits on Exploit-DB. We launch these exploits on containers spawned with Docker-sec and Lic-Sec separately. Our evaluations show that for demanding images, Lic-Sec gives protection for all privilege escalation attacks for which Docker-sec and LiCShield failed to give protection.

随着云计算技术的飞速发展，容器化技术受到了产业界和学术界的广泛关注。在本文中，我们对 Docker-sec（2018 年提出的 Linux 安全模块）和名为 Lic-Sec 的新 AppArmor 配置文件生成器进行了对比测量分析，后者将 Docker-sec 与 LiCShield 的修改版本相结合，后者是也是 2015 年提出的 Linux 安全模块。 Docker-sec 和 LiCShield 可用于基于强制访问控制来增强 Docker 容器的安全性，并允许在无需手动配置的情况下保护容器。Lic-Sec 汇集了他们的优势，提供了更强大的保护。我们通过真实世界的攻击测试来评估 Docker-sec 和 Lic-Sec 的有效性和性能。我们生成了一个漏洞利用数据库，其中包含从 Exploit-DB 上最新的 400 个漏洞利用中选择的 40 个对 Docker 容器有效的漏洞利用。我们在分别使用 Docker-sec 和 Lic-Sec 生成的容器上启动这些漏洞利用。我们的评估表明，对于要求苛刻的图像，Lic-Sec 可以保护所有 Docker-sec 和 LiCShield 未能提供保护的权限提升攻击。