Context

I want to host public-facing applications on a server in my home, without compromising security. I realize containers might be one way to do this, and want to explore that route further.

Requirements

I want to run applications within containers such that they

  • Must not be able to interfere with applications running on host
  • Must not be able to interfere with other containers or applications inside them
  • Must have no access or influence on other devices in the local network, or otherwise compromise the security of the network, but still accessible by devices via ssh.

Note: all of this within reason. I understand that sometimes there may be occasional vulnerabilities, like in kernel for example, that would eventually get fixed. Risks like this within reason I am willing to accept.

What I found so far

  • Running containers in rootless mode: in other words, running the container daemon with an unprivileged host user
  • Running applications in container under unprivileged users: the container user under which the container is ran should be unprivileged
  • Networking: The container’s networking must be restricted. I am still not sure how to do this and shall explore it more, but would appreciate any resources.

Alternative solution

I have seen bubblewrap presented as an alternative, but it seems like it is not intended to be used directly in this manner, and information about using it for this is scarce.

  • onlinepersona@programming.devEnglish
    2·
    6 months ago

    Running a container as an unprivileged user with podman is already quite good. Even if they break out of the container, the attacker will now be an unprivileged user. You’ll have to look up how to secure users in linux (I don’t know how).

    As for networking, that’s where the firewall comes in. iptables are supposedly superseded by nftables. The easiest way to configure that is either with a GUI or with firewalld. If I’m not mistaken, basically, what you want to do is limit the unprivileged user to creating a network namespace with a certain IP range (not sure if a virtual network device is created? probably). Then you can use the firewall to say:

    • allow all incoming and outgoing connections from the gateway (whatever device is exposed to the public internet through which your computer connects and receives traffic)
    • block all connections outside of network namespace to IPs in your home network unless the connection was established from that IP. In other words your container won’t be able to connect to devices in your home network unless those devices initiated the connection themselves

    You can find more information about iptables on wikibooks. I cannot remember which table to use, but I think it’s the filter table.

    • rule1: INPUT chain ALLOW all from gateway
    • rule2: OUTPUT chain ALLOW all to gateway
    • rule3: INPUT chain ALLOW all from home network
    • rule4: OUTPUT chain ALLOW all ESTABLISHED connection to the home network

    Can’t think of anything else. But it might help to draw a diagram with the network traffic flows.

    CC BY-NC-SA 4.0