neilnaveen/security.yaml

## security.yaml
# eBPF LSM Security Policy for Base Node
# Protects Nethermind (Execution Client) and OP Node (Consensus/Rollup Client)

container_policies:
  # Nethermind Pod
  - container_path: "base-sepolia:nethermind-pod:nethermind"
    executables:
      - path: "/app/nethermind"
        directories:
          - path: "/shared"
            permission: "read"
          - path: "/data/keystore"
            permission: "read"
          - path: "/data/nodeKey"
            permission: "read"
          - path: "/data"
            permission: "write"
          - path: "/tmp/nethermind"
            permission: "write"
    ld_env_allowed_executables: []

  # OP Node Pod
  - container_path: "base-sepolia:op-node-pod:op-node"
    executables:
      - path: "/app/op-node"
        directories:
          - path: "/shared"
            permission: "read"
          - path: "/data/opnode_p2p_priv.txt"
            permission: "read"
          - path: "/data/opnode_discovery_secret.txt"
            permission: "read"
          - path: "/data"
            permission: "write"
    ld_env_allowed_executables: []

  # Host System (Infrastructure)
  - container_path: ""
    executables:
      # Container Runtime
      - path: "/runc"
        directories:
          - path: "/shared"
            permission: "read"
          - path: "/data"
            permission: "write"
          - path: "/tmp/nethermind"
            permission: "write"

      # Kubernetes Infrastructure
      - path: "/bin/k3s"
        directories:
          - path: "/run/k3s/containerd"
            permission: "write"
          - path: "/tmp/base-node/nethermind-data"
            permission: "write"
          - path: "/tmp/base-node/op-node-data"
            permission: "write"

      - path: "/bin/containerd-shim-runc-v2"
        directories:
          - path: "/run/k3s/containerd"
            permission: "write"

      - path: "/bin/runc"
        directories:
          - path: "/run/k3s/containerd"
            permission: "write"

    # LD_* environment variables allowed only for infrastructure
    ld_env_allowed_executables:
      - "/bin/containerd-shim-runc-v2"
      - "/bin/k3s"
      - "/bin/cni"
      - "/bin/runc"
      - "/bin/aux/xtables-nft-multi"
      - "/bin/aux/nft"

immutable_directories: []

# Critical executables that cannot be modified at runtime
immutable_executables:
  # Application Binaries
  - path: "/app/nethermind"
  - path: "/app/op-node"

  # Container Runtime Infrastructure
  - path: "/bin/runc"
  - path: "/bin/k3s"
  - path: "/bin/containerd-shim-runc-v2"

  # Network Infrastructure
  - path: "/bin/cni"
  - path: "/bin/aux/xtables-nft-multi"
  - path: "/bin/aux/nft"

disable_ptrace_blocking: false
disable_map_security: false
	# eBPF LSM Security Policy for Base Node
	# Protects Nethermind (Execution Client) and OP Node (Consensus/Rollup Client)

	container_policies:
	# Nethermind Pod
	- container_path: "base-sepolia:nethermind-pod:nethermind"
	executables:
	- path: "/app/nethermind"
	directories:
	- path: "/shared"
	permission: "read"
	- path: "/data/keystore"
	permission: "read"
	- path: "/data/nodeKey"
	permission: "read"
	- path: "/data"
	permission: "write"
	- path: "/tmp/nethermind"
	permission: "write"
	ld_env_allowed_executables: []

	# OP Node Pod
	- container_path: "base-sepolia:op-node-pod:op-node"
	executables:
	- path: "/app/op-node"
	directories:
	- path: "/shared"
	permission: "read"
	- path: "/data/opnode_p2p_priv.txt"
	permission: "read"
	- path: "/data/opnode_discovery_secret.txt"
	permission: "read"
	- path: "/data"
	permission: "write"
	ld_env_allowed_executables: []

	# Host System (Infrastructure)
	- container_path: ""
	executables:
	# Container Runtime
	- path: "/runc"
	directories:
	- path: "/shared"
	permission: "read"
	- path: "/data"
	permission: "write"
	- path: "/tmp/nethermind"
	permission: "write"

	# Kubernetes Infrastructure
	- path: "/bin/k3s"
	directories:
	- path: "/run/k3s/containerd"
	permission: "write"
	- path: "/tmp/base-node/nethermind-data"
	permission: "write"
	- path: "/tmp/base-node/op-node-data"
	permission: "write"

	- path: "/bin/containerd-shim-runc-v2"
	directories:
	- path: "/run/k3s/containerd"
	permission: "write"

	- path: "/bin/runc"
	directories:
	- path: "/run/k3s/containerd"
	permission: "write"

	# LD_* environment variables allowed only for infrastructure
	ld_env_allowed_executables:
	- "/bin/containerd-shim-runc-v2"
	- "/bin/k3s"
	- "/bin/cni"
	- "/bin/runc"
	- "/bin/aux/xtables-nft-multi"
	- "/bin/aux/nft"

	immutable_directories: []

	# Critical executables that cannot be modified at runtime
	immutable_executables:
	# Application Binaries
	- path: "/app/nethermind"
	- path: "/app/op-node"

	# Container Runtime Infrastructure
	- path: "/bin/runc"
	- path: "/bin/k3s"
	- path: "/bin/containerd-shim-runc-v2"

	# Network Infrastructure
	- path: "/bin/cni"
	- path: "/bin/aux/xtables-nft-multi"
	- path: "/bin/aux/nft"

	disable_ptrace_blocking: false
	disable_map_security: false
No results found