-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Specify the recommended defaults for security #319
Conversation
@containers/podman-maintainers PTAL |
In Fedora Rawhide, I have eliminated some CAPABILITIES from the default list to make containers more secure. The containers.conf should be listed here as well. The default list in code is still the Docker defaults, but I have eliminated three from the default list AUDIT_WRITE, MKNOD, NET_RAW In Fedora 33 we have eliminated just MKNOD and NET_RAW. Signed-off-by: Daniel J Walsh <dwalsh@redhat.com>
@containers/podman-maintainers PTAL again. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM 👍
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: rhatdan, saschagrunert The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@vrothberg Yes step one is to get this file merged into common, then we can setup tests to use this containers.conf by default in the vendored subdir or podman. This means we would at least realize breakage in the podman tests when a new version of containers/common got vendored in. |
/lgtm |
This test fails after updating to new VM images which include containers/common#319 Work around the problem by adding in the capabilities expected to be present. Thanks to @edsantiago and @giuseppe for the fix. Signed-off-by: Chris Evich <cevich@redhat.com>
This test fails after updating to new VM images which include containers/common#319 Work around the problem by adding in the capabilities expected to be present. Thanks to @edsantiago and @giuseppe for the fix. Signed-off-by: Chris Evich <cevich@redhat.com>
This test fails after updating to new VM images which include containers/common#319 Work around the problem by adding in the capabilities expected to be present. Thanks to @edsantiago and @giuseppe for the fix. Signed-off-by: Chris Evich <cevich@redhat.com>
This test fails after updating to new VM images which include containers/common#319 Work around the problem by adding in the capabilities expected to be present. Thanks to @edsantiago and @giuseppe for the fix. Signed-off-by: Chris Evich <cevich@redhat.com>
This test fails after updating to new VM images which include containers/common#319 Work around the problem by adding in the capabilities expected to be present. Thanks to @edsantiago and @giuseppe for the fix. Signed-off-by: Chris Evich <cevich@redhat.com>
This test fails after updating to new VM images which include containers/common#319 Work around the problem by adding in the capabilities expected to be present. Thanks to @edsantiago and @giuseppe for the fix. Signed-off-by: Chris Evich <cevich@redhat.com>
update rtnetlink lib to 0.10.1
In Fedora Rawhide, I have eliminated some CAPABILITIES from the
default list to make containers more secure. The containers.conf
should be listed here as well. The default list in code is still
the Docker defaults, but I have eliminated three from the default
list
AUDIT_WRITE, MKNOD, NET_RAW
In Fedora 33 we have eliminated just MKNOD and NET_RAW.
Signed-off-by: Daniel J Walsh dwalsh@redhat.com