PrivSec-dev/privsec.dev
1
0
Fork 0
mirror of https://github.com/PrivSec-dev/privsec.dev synced 2024-12-22 04:41:33 -05:00
Code

fix(linux/Docker and OCI Hardening): correction on no_new_privs option (#223)

Browse Source
This commit is contained in:
xyhhx 2024-04-19 02:49:30 +00:00 committed by GitHub
parent d824a1ccae
commit 4ef5e890de
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
content/posts/linux/Docker and OCI Hardening.md
View File

@ -136,7 +136,7 @@ After ensuring root isn't used in your containers, you should look into setting
```
security_opt:
- no-new-privileges: true
- "no-new-privileges:true"
```
Gaining privileges in the container will be much harder that way.
@ -255,4 +255,4 @@ Still not convinced? What if I told you a container can leverage the same techno
If you're running untrusted workloads, I highly suggest you consider gVisor instead of a traditional container runtime. Your definition of "untrusted" may vary: for me, almost everything should be considered untrusted. That is how modern security works, and how mobile operating systems work. It's quite simple, security should be simple, and gVisor simply offers native security.
Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of.
Containers are a popular, yet strange world. They revolutionized the way we make and deploy software, but one should not loose the sight of what they really are and aren't. This hardening guide is non-exhaustive, but I hope it can make you aware of some aspects you've never thought of.