Skip to content

[FEAT] Increase granularity of lockdown options #12

Description

@HazardousBackup

Is this a new feature request?

  • I have searched the existing issues

Wanted change

As it stands there is pretty good granularity with which to add or subtract permissions, however, it'd be nice to be able to go into further detail possibly restricting or allowing individual API calls.

Reason for change

One example of why this would be beneficial is the "containers" permission.
For something like Diun, as far as I can tell it only really needs /containers/json access to be able to get the information it needs.
However, with the containers permission, it also has access to /containers/{id}/json which lets it see a large number of details about a running containers including ENV variables that might include sensitive information depending on the setup.
The containers permission also gives access to /containers/{id}/archive which allows for getting tar archives of files inside another container. The ability to grab arbitrary files from another running container is another permission that should be more heavily restricted.

Proposed code change

In the most extreme case, I'd suggest breaking all the different API calls into their own separate permission. Based on my very basic grasp of how this works, that might require just putting a ton more entries into the templates with checks for their env variables.
This might be made easier by using the OpenAPI yaml available from Docker to generate the necessary options procedurally.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    Status
    Done

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions