Skip to content

RFC: Constrain driver processes with cgroups #54

New issue
New issue
Open
Open
RFC: Constrain driver processes with cgroups#54
Labels
type: discussionIssue that can be resolved with discussiontype: enhancementnew feature or requesttype: securityIssue related to Security
@kimburgess

Description

@kimburgess
kimburgess
opened on Nov 7, 2020

Given drivers hold the potential to introduce potentially untrusted code, it may be worth adding some more guard rails around their operation. A tool that seems like an obvious choice is cgroups.

At a minimum, this would allow resources available to driver processes to be limited and divided as appropriate. Network traffic could also be tagged to enable external filtering and prevent loopback access to internal services.

What I'm not sure of is if these are assignable when already inside a container without needing privileged access to the host, which is undesirable and in some environments potentially not possible at all. I'll check this next week unless anyone else can clarify first.

If this can be used, can anyone think of reasons why it should be implemented?

Metadata

Metadata

Assignees

No one assigned

    Labels

    type: discussionIssue that can be resolved with discussiontype: enhancementnew feature or requesttype: securityIssue related to Security

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions