mirror of
https://github.com/sickcodes/Docker-OSX.git
synced 2026-01-11 21:10:25 +01:00
Hardening of X11 root exposure #74
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @dylanschmittle on GitHub (Oct 6, 2020).
I have not tested yet, but i was going to try to work this into the setup somehow https://www.elstel.org/xchroot/
@dylanschmittle commented on GitHub (Oct 6, 2020):
may be worth providing some of these flags as well, i am currently using podman and have zero issues with anything https://www.redhat.com/sysadmin/privileged-flag-container-engines
sudo podman run --device /dev/kvm --device /dev/snd -v /tmp/.X11-unix:/tmp/.X11-unix sickcodes/docker-osx:latest
@sickcodes commented on GitHub (Oct 6, 2020):
I agree we should have more security info.
Especially for VNC net connected guests.
What's different from Docker-OSX is that we're trying to run a full OS inside the OSX guest-guest, as opposed to say, a CMS or web app.
Most users will be using this, in synergy with the host. Drag and drop level relationship.
What needs to be addressed though is multitenants and hosting critical web apps with the Docker-OSX on the same server.
I welcome anyone with security related info to share, submit PRs, open issues, etc. so we can harden the project.
@dylanschmittle commented on GitHub (Oct 9, 2020):
ill see what i can whip up this weekend
@dylanschmittle commented on GitHub (Oct 11, 2020):
Gunna drop this from my notes incase anyone wants to weigh in on this, im thinking brwap-oci or xchroot that way you can set the security maximums and users can set them stiff wither runtime settings without rebuilding.
Containers are simple right?
Policy, Privledges, and Sandboxing
Container Privledge Escalation RH
Seccomp and Sandboxing Google
SE Linux for Containers
cgroupsv1/v2
namespaces
chroot
xchroot
proot
firejail
bubblewrap/bwrap-oci
Qemu/libvirt/lxc Sandbox
fakeroot
breakout
Do-nots
Use random public repos
Display Forwarding especially X11 and dbus
Expose or mount the docker socket (or use runc at all)
Running as Root / Net Raw
Running with access to exec capable FS
Running with access to suid binaries
Running with runc
Windows Containers
Build tools in final image
Writing data to the temp overlay
@sickcodes commented on GitHub (Oct 11, 2020):
I'll use some of that to elaborate on security, I have some notes so far. I'll add you as a creditor to the security tab if you don't mind :)
Use random public repos
Partially
Display Forwarding especially X11 and dbus
No dbus anymore, using X11 deliberately
Expose or mount the docker socket (or use runc at all)
Using runc, exposing SSH and screenshare ports
Running as Root / Net Raw
Most using docker with root priv
Running as arch user inside container who is root NOPASSWD
Running with access to exec capable FS
Will check what we are exposing
Running with access to suid binaries
Running with access to /dev/kvm
Running with runc
True
Windows Containers
False
Build tools in final image
Kinda
Writing data to the temp overlay
Passwords? Deliberately forcing users to make their own VNC edition as VNC needs unique password (8 chars max)
@sickcodes commented on GitHub (Oct 11, 2020):
Most users are using this locally, but there are users who are using it for CI/CD with VNC I will add some VPN instructions or SSH tunneling to make it more secure for them. Or instructions to run behind a VPC
@sickcodes commented on GitHub (Mar 18, 2021):
Linked issue: https://github.com/sickcodes/Docker-OSX/issues/209
@bphd commented on GitHub (Mar 17, 2023):
It's a good first step to just replace docker with podman, this should be in all the repo. But after that, to really make use of podman, it should stop use "sudo" or "--privilegied" and rather fine tune permissions to create something more secure. 3 years and this repo still use docker. I imagine because it's industry standard, despite just being more problematic