fix(security): Change socket mount to read-only

BREAKING CHANGE: Socket directory now mounted read-only into containers
for security. Prevents compromised containers from:
- Unlinking socket and creating man-in-the-middle proxies
- Filling /run/pulse-sensor-proxy/ to exhaust tmpfs
- Racing proxy service on restart to hijack socket path

Migration: Change socket mounts from :rw to :ro in docker-compose.yml

Access control enforced via SO_PEERCRED, so write access not needed.

Related to security audit 2025-11-07.
This commit is contained in:
rcourtman 2025-11-07 17:10:02 +00:00
parent 97f9de6c95
commit cc5e6f3a09

View file

@ -11,7 +11,8 @@ services:
- pulse-data:/data
# Secure temperature monitoring via host-side proxy (requires setup - see docs)
# Uncomment after installing pulse-sensor-proxy on host with --standalone flag
# - /run/pulse-sensor-proxy:/run/pulse-sensor-proxy:rw
# Mount is read-only (:ro) for security - proxy uses SO_PEERCRED for access control
# - /run/pulse-sensor-proxy:/run/pulse-sensor-proxy:ro
environment:
- TZ=${TZ:-UTC}
healthcheck: