Last active
August 12, 2021 00:14
-
-
Save poupas/3f15eccf2375ef2364447b3fa1cc835d to your computer and use it in GitHub Desktop.
Hardened /proc inside container
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
version: "3.4" | |
services: | |
node-exporter: | |
# Both "image" keys specify the same image. | |
# But using the hash ensures that the image is not tampered with. | |
#image: prom/node-exporter:v1.2.2 | |
image: prom/node-exporter@sha256:a990408ed288669bbad5b5b374fe1584e54825cde4a911c1a3d6301a907a030c | |
container_name: exporter | |
cap_drop: | |
- ALL | |
# nobody:nobody inside the container | |
user: "65534:65534" | |
restart: unless-stopped | |
command: "--path.rootfs=/host --web.listen-address=:${EXPORTER_METRICS_PORT:-9101}" | |
volumes: | |
- "/fakeroot:/host:ro,rslave" | |
network_mode: host | |
proc-checker: | |
image: ubuntu:20.04 | |
container_name: proc-checker | |
volumes: | |
- "/fakeroot:/host:ro,rslave" | |
command: | |
- /bin/sh | |
- -c | |
- > | |
set -eu | |
&& apt-get update -y | |
&& apt-get install -y python3-psutil | |
&& python3 -c "import json, os, psutil; | |
psutil.PROCFS_PATH='/host/proc'; | |
procs = ['%s\t%s' % (p.info['username'], ' '.join(p.info['cmdline'])) for p in psutil.process_iter(['username', 'cmdline']) if p.info['cmdline']]; | |
print('\n\n\n\n\n\nProcesses seen by root:\nuser\tcommand\n%s' % '\n'.join(procs)); | |
os.setgid(65534); | |
os.setuid(65534); | |
procs = ['%s\t%s' % (p.info['username'], ' '.join(p.info['cmdline'])) for p in psutil.process_iter(['username', 'cmdline'])]; | |
print('\n\n\n\n\n\nProcesses seen by nobody:\nuser\tcommand\n%s' % '\n'.join(procs)); | |
" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
#!/bin/sh | |
mountpoint -q /fakeroot/proc || { mkdir -p /fakeroot/proc && mount -t proc proc -o hidepid=2,ro /fakeroot/proc; } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment