Here are several ways to enhance the security of ruri container, kindly read this document before using ruri.
If your device supports user ns, you can install uidmap and use -r
option with common user, so that you can avoid using root privileges to run the container.
If you can not run rootless container, there's another choice, add a common user in your container and use -E username
to run command as common user instead root.
If you don't need any privileges, it's better to enable no_new_privs at the same time.
ruri supports hidepid options for /proc, use -i 1/2
to enable it.
Ruri will automatically drop unneeded capabilities, but ruri also provides capability control function, you can read capabilities(7) and use -d
option to filter out unnecessary capabilities in container.
Ruri will create the file /.rurienv in container, to avoid security issues, this file is immutable and read-only.
But you can also disable creating it using -N
option.
Ruri supports memory cgroup, you can use -l
option to set the limit of memory usage.
Ruri supports unshare, it's recommended to enable this feature for better security.
Unshare container will use pivot_root(2) instead chroot(2), so it's more secure.
Ruri supports using -m
option to mount other device/img/dir into container, if you only need read access to the mountpoint, try using -M
option to make them read-only.
Ruri has a built-in Seccomp profile, you can enable it by using -s
option.
If this profile does not fit your needs, you can edit src/seccomp.c and write your own Seccomp rules.
If you just want to deny a syscall, you can use -X
option, this will just set SCMP_ACT_KILL for this syscall.
For example: -X unshare -X chroot
.
Ruri supports enable no_new_privs bit by -n
option, after enabling this, command like sudo
will be unavailable for common user.
Ruri supports mounting the rootfs of container as read-only by using -R
option, this will make all the container read-only.
/dev, /proc and /sys will not be mounted if you enable -j
option.
You can use -x
option to create a new net ns and disable network for container.
For /dev, ruri will only create necessary devices on it, so that block devices will always be unavailable in container, and as cap_mknod and cap_sys_admin is dropped by default, you can not escape from ruri container by modifying disk partitions.
Ruri will mask some directories with tmpfs in /proc and /sys, this can protect the host to avoid security issues.
Ruri will drop unneeded capabilities by default, so that it can avoid escaping from container.