Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add default security settings #158

Merged

Conversation

tzneal
Copy link
Contributor

@tzneal tzneal commented Sep 20, 2024

Issue number:

Closes #

Description of changes:
Adds a default security setting to block writable/executable memory for all services.

Testing done:

Before change:

# systemctl show containerd | grep -i MemoryDenyWriteExecute
MemoryDenyWriteExecute=no

After change:

bash-5.1# systemctl show containerd | grep -i MemoryDenyWriteExecute
MemoryDenyWriteExecute=yes

Terms of contribution:

By submitting this pull request, I agree that this contribution is dual-licensed under the terms of both the Apache License, version 2.0, and the MIT license.

Copy link
Contributor

@cbgbt cbgbt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not very familiar with this systemd setting, but one thing I'm not so sure of is how it will interact with the migrations performed by the update system.

Migrations are written to sealed anonymous files, which I could see being included here.

I'm happy to test this and come back, but I'd be curious to test building an image with this change, then attempting to in- place update it.

Copy link
Contributor

@cbgbt cbgbt left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pardon my latency, my original test plan involved multiple migration iterations but I realized that it wasn't necessary if I just started my chain from a build from this commit.

The testing looks good. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants