fix(security): Change socket mount to read-only
BREAKING CHANGE: Socket directory now mounted read-only into containers for security. Prevents compromised containers from: - Unlinking socket and creating man-in-the-middle proxies - Filling /run/pulse-sensor-proxy/ to exhaust tmpfs - Racing proxy service on restart to hijack socket path Migration: Change socket mounts from :rw to :ro in docker-compose.yml Access control enforced via SO_PEERCRED, so write access not needed. Related to security audit 2025-11-07.
This commit is contained in:
parent
97f9de6c95
commit
cc5e6f3a09
1 changed files with 2 additions and 1 deletions
|
|
@ -11,7 +11,8 @@ services:
|
|||
- pulse-data:/data
|
||||
# Secure temperature monitoring via host-side proxy (requires setup - see docs)
|
||||
# Uncomment after installing pulse-sensor-proxy on host with --standalone flag
|
||||
# - /run/pulse-sensor-proxy:/run/pulse-sensor-proxy:rw
|
||||
# Mount is read-only (:ro) for security - proxy uses SO_PEERCRED for access control
|
||||
# - /run/pulse-sensor-proxy:/run/pulse-sensor-proxy:ro
|
||||
environment:
|
||||
- TZ=${TZ:-UTC}
|
||||
healthcheck:
|
||||
|
|
|
|||
Loading…
Reference in a new issue