Open cyphar opened 5 years ago
lox
commented
5 years ago Thanks for dropping by @cyphar. Yup, I completely agree. Will add a clearer warning.
Btw, regarding lock-step issues, aren't those mitigated by pinning sockguard support to a specific docker API version?
cyphar
commented
5 years ago Btw, regarding lock-step issues, aren't those mitigated by pinning sockguard support to a specific docker API version?
That works if there was an API bump, but some changes to existing fields don't get an API version bump (I recently got a change in which made Domainname actually do what it was meant to do -- and there wasn't an API version bump needed). But maybe that is rare enough it's not an issue.
I think this is a great idea as another layer of security (over the "no layer" of security that we currently have), but I think there needs to be a bit more all-caps warnings in the README. In particular, most vulnerabilities in Docker (of which there have been many -- and some more are currently embargoed) likely won't be caught by this tool because it only can reasonably block "front-door" access. Not to mention that it has the lock-step updates problem (new fields or new semantics might result in older safe arguments to no longer be safe -- look at
docker cpfor an example of this).