|
|
|
|
|
|
by sly010
3414 days ago
|
|
|
> Is there a way to restrict access to reading said secrets once the container is running? I don't know anything about docker, but the best way I found to do this in linux in general was aa_changehat() [0]. You write an apparmor profile for startup and a sub-profile for the running app/service. After setup, you call aa_changehat() to switch the current process to use the subprofile. You then throw away your magic token, so there is no way to switch back. You don't even have to link to libapparmor, under the hood aa_changehat() just writes some string somewhere in /proc, so you can replicate that. Note, I haven't actually done this, but working on it right now. [0] http://manpages.ubuntu.com/manpages/wily/man2/aa_change_hat.... |
|
|