feat: tmpfs noexec/nosuid/nodev + binds default :ro + init=true#3
Merged
Conversation
binds default :ro, init=true (tini) Three more secure-by-default knobs on top of the v0.5.0 set: 1. **tmpfs auto-`noexec,nosuid,nodev`**: when a service declares `tmpfs:` mount points, those flags are appended to the operator's option string unless they explicitly opt in (`exec`, `suid`, `dev`). Closes the "drop a binary on writable scratch + exec it" escape chain. 2. **bind mounts default `:ro`**: a `binds:` entry without a mode suffix gets `:ro` automatically. Operator opts in to writable binds with explicit `:rw`. Removes the "I bind-mounted /etc/foo and the app started scribbling on the host" footgun. 3. **init=true** (new field, default true): docker's `--init` runs tini as PID 1 — proper zombie reaping + SIGTERM forwarding to children. Drains and healthcheck-gated rolling swaps actually finish on apps where the language runtime doesn't reap. Operator opts out via `init: false` for images that ship their own init (systemd-in-containers, s6-overlay, supervisord, etc.). Spec_hash now includes the `init` flag, so existing containers look drifted on first reconcile after upgrade — expected one-time forced redeploy. Tests: harden_tmpfs_options preserves operator-provided opts + appends each missing negative independently; respects explicit opt-out per-flag; idempotent. default_bind_to_ro appends :ro on bare two-field binds, leaves three-field binds (with explicit mode or SELinux flags) verbatim. RunOptions::default() produces a HostConfig with init=true; init=false opt-out flows through. README "Sane security defaults" table extended with the three new rows + opt-outs.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
v0.6.0 (tag pushed). Three more secure-by-default knobs. See commit message for full breakdown.