projects / feed / packages.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: cf120a7) | patch
snowflake: run snowflake-proxy with procd-ujail
authorDaniel Golle <daniel@makrotopia.org>
Sun, 25 Sep 2022 00:28:43 +0000 (01:28 +0100)
committerDaniel Golle <daniel@makrotopia.org>
Sun, 25 Sep 2022 00:38:09 +0000 (01:38 +0100)
commit0f3d48a3784fb495ffdfe4a83f540ad42fab89df
tree0c1c92fd8745aa615508bebc40385225b1e7ed39tree | snapshot
parentcf120a7effd5d13a7f705b5eb9d22410b73d71f3commit | diff
snowflake: run snowflake-proxy with procd-ujail

snowflake-proxy doesn't write any files
 => run in read-only rootfs environment

the process needs to read SSL certs but no other files
 => only exposed path is /etc/ssl/certificates (read-only)

running as unpriviledged user with no additional capabilities
 => set no-new-privs bit

By default procd-ujail also isolates the process by executing it in
a separate new IPC and PID namespace.

Signed-off-by: Daniel Golle <daniel@makrotopia.org>
net/snowflake/Makefile diff | blob | history
net/snowflake/files/snowflake-proxy.init [changed mode: 0755->0644] diff | blob | history
Mirror of packages feed