Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

revise security guidance #1072

Merged
merged 1 commit into from
Aug 25, 2020
Merged

revise security guidance #1072

merged 1 commit into from
Aug 25, 2020

Conversation

bcressey
Copy link
Contributor

Issue number:
N/A

Description of changes:
Strengthen the warning against privileged containers, since they can bypass other protection mechanisms such as SELinux in various ways.

Upgrade the warning against sharing host namespaces, and clarify the additional risk of sharing the host PID namespace.

Expand the section on system mounts to cover local storage concerns.

Mention the new control_t label for API socket access, and the path to the Docker runtime socket at /run/docker.sock.

Testing done:
Rendered locally with grip.

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

samuelkarp
samuelkarp reviewed Aug 24, 2020
View reviewed changes
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
webern
webern approved these changes Aug 25, 2020
View reviewed changes
SECURITY_GUIDANCE.md Outdated Show resolved Hide resolved
@bcressey
docs: revise SECURITY_GUIDANCE.md
f500fb6 
Strengthen the warning against privileged containers, since they can
bypass other protection mechanisms such as SELinux in various ways.

Upgrade the warning against sharing host namespaces, and clarify the
additional risk of sharing the host PID namespace.

Expand the section on system mounts to cover local storage concerns.

Mention the new `control_t` label for API socket access, and the path
to the Docker runtime socket at `/run/docker.sock`.

Add example for Amazon ECS.

Signed-off-by: Ben Cressey <[email protected]>
zmrow
zmrow approved these changes Aug 25, 2020
View reviewed changes
Copy link
Contributor

@zmrow zmrow left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@bcressey bcressey merged commit 214b0cf into bottlerocket-os:develop Aug 25, 2020
@bcressey bcressey deleted the security-docs branch August 25, 2020 16:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@webern webern webern approved these changes

@zmrow zmrow zmrow approved these changes

@jhaynes jhaynes jhaynes approved these changes

@samuelkarp samuelkarp samuelkarp approved these changes

@tjkirch tjkirch tjkirch approved these changes

@iliana iliana Awaiting requested review from iliana

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@bcressey @tjkirch @samuelkarp @jhaynes @zmrow @webern