|
|
|
|
|
|
by koolba
3421 days ago
|
|
|
Are the values loaded on the fly each time they're read or is the /run/secrets mount statically defined when the container starts up? If it's static, follow up to that would be, how are changes propagated to already running instances? Is there a way to restrict access to reading said secrets once the container is running? Say you're running possibly malicious code that has access to the local filesystem (ex: CI test runner) is there a way to restrict a process from reading those files? Can we simply delete them (i.e. "burn after reading") or are they fully virtual? |
|
|
I don't know anything about docker, but the best way I found to do this in linux in general was aa_changehat() [0]. You write an apparmor profile for startup and a sub-profile for the running app/service. After setup, you call aa_changehat() to switch the current process to use the subprofile. You then throw away your magic token, so there is no way to switch back.
You don't even have to link to libapparmor, under the hood aa_changehat() just writes some string somewhere in /proc, so you can replicate that. Note, I haven't actually done this, but working on it right now.
[0] http://manpages.ubuntu.com/manpages/wily/man2/aa_change_hat....