网络安全与数据治理2026,Vol.45Issue(5):11-17,7.DOI:10.19358/j.issn.2097-1788.2026.05.002
基于LSM的容器多级安全隔离系统设计与优化
Design and optimization of multi-level security isolation system for containers based on LSM
熊明俊 1郭培馨2
作者信息
- 1. 金航数码科技有限责任公司,北京 100028
- 2. 军工保密资格审查认证中心,北京 100000
- 折叠
摘要
Abstract
With the widespread adoption of container technology in production environments,deficiencies in security isolation mechanisms have become increasingly apparent.This paper proposes a multi-level security isolation model for containers based on the Linux Security Modules(LSM)framework.The model constructs fine-grained Mandatory Access Control(MAC)policies by defining containerized subjects and ob-jects and introducing security labels to classify container processes and file resources.A Docker LSM(DLSM)prototype system is developed to strengthen protection at two levels:restricting container access to host critical directories and other container file systems to prevent privilege es-calation and escape,and implementing grouped management with permission grading for shared data volumes to prevent data leakage or tampe-ring.Comparative experiments with SELinux and AppArmor demonstrate that DLSM achieves a 100%interception rate in across container es-cape,sensitive directory mounting,and cross-container communication attack scenarios,with performance overhead kept below 5%,providing an effective solution balancing container security and efficiency.关键词
容器隔离/多级安全/强制访问控制/LSM/DockerKey words
container isolation/multi-level security/mandatory access control/LSM/Docker分类
信息技术与安全科学引用本文复制引用
熊明俊,郭培馨..基于LSM的容器多级安全隔离系统设计与优化[J].网络安全与数据治理,2026,45(5):11-17,7.
