From 01e2522a24c8d84efa7e5ca5c6db6b87f0efd480 Mon Sep 17 00:00:00 2001 From: thelamer Date: Sun, 31 Aug 2025 05:58:15 -0400 Subject: [PATCH 1/2] update security notes for selkies blurb to include note about seccomp unconfined --- .../roles/documentation/templates/README_SNIPPETS/SELKIES.j2 | 2 ++ 1 file changed, 2 insertions(+) diff --git a/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 b/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 index 7cb22d4c..5d9033b6 100644 --- a/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 +++ b/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 @@ -10,6 +10,8 @@ By default, this container has no authentication. The optional `CUSTOM_USER` and The web interface includes a terminal with passwordless `sudo` access. Any user with access to the GUI can gain root control within the container, install arbitrary software, and probe your local network. +While not generally recommended, certain legacy environments specifically those with older hardware or outdated Linux distributions may require the deactivation of the standard seccomp profile to get containerized desktop software to run. This can be achieved by utilizing the `--security-opt seccomp=unconfined` parameter. It is critical to use this option only when absolutely necessary as it disables a key security layer of Docker elevating the potential for container escape vulnerabilities. + ### Options in all Selkies-based GUI containers This container is based on [Docker Baseimage Selkies](https://github.com/linuxserver/docker-baseimage-selkies), which provides the following environment variables and run configurations to customize its functionality. From 5d707c5be8c5055f9f09174e8558bbb79ec4f9be Mon Sep 17 00:00:00 2001 From: thelamer Date: Sun, 31 Aug 2025 05:59:28 -0400 Subject: [PATCH 2/2] wording --- .../roles/documentation/templates/README_SNIPPETS/SELKIES.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 b/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 index 5d9033b6..18112b7a 100644 --- a/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 +++ b/ansible/roles/documentation/templates/README_SNIPPETS/SELKIES.j2 @@ -10,7 +10,7 @@ By default, this container has no authentication. The optional `CUSTOM_USER` and The web interface includes a terminal with passwordless `sudo` access. Any user with access to the GUI can gain root control within the container, install arbitrary software, and probe your local network. -While not generally recommended, certain legacy environments specifically those with older hardware or outdated Linux distributions may require the deactivation of the standard seccomp profile to get containerized desktop software to run. This can be achieved by utilizing the `--security-opt seccomp=unconfined` parameter. It is critical to use this option only when absolutely necessary as it disables a key security layer of Docker elevating the potential for container escape vulnerabilities. +While not generally recommended, certain legacy environments specifically those with older hardware or outdated Linux distributions may require the deactivation of the standard seccomp profile to get containerized desktop software to run. This can be achieved by utilizing the `--security-opt seccomp=unconfined` parameter. It is critical to use this option only when absolutely necessary as it disables a key security layer of Docker, elevating the potential for container escape vulnerabilities. ### Options in all Selkies-based GUI containers