search

Consensys / teku

Open-source Ethereum consensus client written in Java
https://consensys.io/teku
Apache License 2.0
680 stars 286 forks source link

Supply docker AppArmor profile #2841

Open yorickdowne opened 4 years ago

yorickdowne commented 4 years ago

Please supply an AppArmor profile for Teku

You know your application best and what it requires from the OS. Being able to easily "lock it down" inside a container to those paths it needs would be a boon to security.

What is AppArmor?

See https://docs.docker.com/engine/security/apparmor/ . AppArmor security profiles define what can and cannot be done inside a container, specific to the application running within. The profile is loaded for the container by docker. AppArmor helps secure applications against threats.

For good

Containerization is more than a consistent build environment: Done right, it can be a security boon. Help me build secure-by-default containers by providing an AppArmor profile for your application.

Bonus credit

Do beacon, validator and slasher need different things from the OS? If so, custom AppArmor profiles for each one could even be a thing. But, start with one profile for all three.

rolfyone commented 4 years ago

Thanks for raising this, it looks helpful.

We'll have a look at where it fits in our priority list.