Add new LSM_HOOK to restrict root user

lockc-project / lockc

Making containers more secure with eBPF and Linux Security Modules (LSM)

https://lockc-project.github.io/

Apache License 2.0

218 stars 19 forks source link

Add new LSM_HOOK to restrict root user #158

Closed mjura closed 2 years ago

mjura commented 2 years ago

We have decided to implement new LSH hook which disable root user in container.

Fix #85

Expected output with this feature enabled:

opensuse@mjura-dev:~> sudo -i
sudo: PERM_ROOT: setresuid(0, -1, -1): Operation not permitted
sudo: error initializing audit plugin sudoers_audit

opensuse@mjura-dev:~> su - root
Password: 
su: cannot set user id: Operation not permitted