February-14th-2019, 12:43 PM
Dear Sven,
when we started with netPI two years ago we defined to make it as secure as possible. One aim was that even a customer would load an unsecure application in a container into it in no way this container is able to compromise the host Linux.
We identified two weaknesses in standard Docker daemon one could configure to undermine the security:
* priviledged mode - that by default maps all /dev into a container and hence with /dev/mmcblk0 also netPI's SD card also and /dev/mem
* volume bind mappings of host volumes into the container that would allow to map the boot partition into a container too
This is why privileged mode and volume mapping as you stated correctly is restricted on netPI.
I agree that one or the other application is not possible at all with this security structure, but gives maybe all other 90% of customers a good feeling.
Just a minute ago I posted this thread here https://forum.hilscher.com/thread-380.html. I think this might be helping you.
Thx
Armin
when we started with netPI two years ago we defined to make it as secure as possible. One aim was that even a customer would load an unsecure application in a container into it in no way this container is able to compromise the host Linux.
We identified two weaknesses in standard Docker daemon one could configure to undermine the security:
* priviledged mode - that by default maps all /dev into a container and hence with /dev/mmcblk0 also netPI's SD card also and /dev/mem
* volume bind mappings of host volumes into the container that would allow to map the boot partition into a container too
This is why privileged mode and volume mapping as you stated correctly is restricted on netPI.
I agree that one or the other application is not possible at all with this security structure, but gives maybe all other 90% of customers a good feeling.
Just a minute ago I posted this thread here https://forum.hilscher.com/thread-380.html. I think this might be helping you.
Thx
Armin
„You never fail until you stop trying.“, Albert Einstein (1879 - 1955)
