From cc5e6f3a098a007f65d0081db049b1020bea2c3b Mon Sep 17 00:00:00 2001 From: rcourtman Date: Fri, 7 Nov 2025 17:10:02 +0000 Subject: [PATCH] fix(security): Change socket mount to read-only BREAKING CHANGE: Socket directory now mounted read-only into containers for security. Prevents compromised containers from: - Unlinking socket and creating man-in-the-middle proxies - Filling /run/pulse-sensor-proxy/ to exhaust tmpfs - Racing proxy service on restart to hijack socket path Migration: Change socket mounts from :rw to :ro in docker-compose.yml Access control enforced via SO_PEERCRED, so write access not needed. Related to security audit 2025-11-07. --- docker-compose.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index dd77a9a..18d584d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -11,7 +11,8 @@ services: - pulse-data:/data # Secure temperature monitoring via host-side proxy (requires setup - see docs) # Uncomment after installing pulse-sensor-proxy on host with --standalone flag - # - /run/pulse-sensor-proxy:/run/pulse-sensor-proxy:rw + # Mount is read-only (:ro) for security - proxy uses SO_PEERCRED for access control + # - /run/pulse-sensor-proxy:/run/pulse-sensor-proxy:ro environment: - TZ=${TZ:-UTC} healthcheck: