Mastodawn

In part 2 of my macOS security internals series, I demystify System Integrity Protection (SIP), breaking down how the kernel enforces Apple-signed entitlements over POSIX root privileges, the mechanics of rootless.conf, and why the hardware always has the final veto.

Includes a small C program to audit your own CSR bitfield configuration.

Read the full deep dive here:
https://bytearchitect.io/macos-security/Apple-defences-SIP-and-APFS-(cont'd)/

#macOS #infosec #cybersecurity #ReverseEngineering #XNU #AppleSecurity #Kernel #OSInternals #Rootless

Mike Williamson May 11

" #CopyFail has proven to be a great example to refer to when writing about #Podman implementation of #rootless #containers In this note I reproduce the exploit across distinct container configurations to try to understand the exposure of a compromised rootless container."

https://garrido.io/notes/podman-rootless-containers-copy-fail/

Hacker News May 8

Podman rootless containers and the Copy Fail exploit

https://garrido.io/notes/podman-rootless-containers-copy-fail/

#HackerNews #Podman #rootless #containers #Copy #Fail #exploit #cybersecurity #containerization #tech #news

Matthijs Kooijman May 7

I wondered about #rootless containers (#Podman / #Docker and found explanations how this uses user namespaces, but I was missing explanation of interactions with other namespaces (you need root to create namespaces, to do that rootless?).

I then found https://rootless.vagmi.ca implementing rootless containers from scratch and explains it very well. The user_namespaces manpage is also good to read and fills in some missing bits: https://man.archlinux.org/man/user_namespaces.7.en

TL;DR of what I learned in followup. 1/3

Introduction

Show thread

slamp Apr 7

@jriou Indeed I migrated on a rainy weekend !

The main issued I got was: User Namespaces, Network and obviously DNS.
This blog help me understand the the difference with #docker behaviour by setting up some demo apps:
https://giacomo.coletto.io/blog/podman-quadlets/

To experiment the #rootless mode: I followed: https://www.redhat.com/en/blog/rootless-podman-user-namespace-modes

#podman

How to install multi-container applications with Podman quadlets

Quadlet files make it easy to manage applications that need multiple containers, without needing root privileges

Giacomo Coletto

Show thread

Esparta

Mar 30

I'm still configuring my #alpinelinux + #cosmic desktop, and I realize I didn't want to install git in the main user-land on that computer, I'm being extra paranoid - and kind of petty. So I did whatever sane person would do:

- install #podman
- configure podman to be #rootless
- install #crun because rootless is not exactly what I really want
- install #toolbx
- install #git inside that isolated container
- profit

Špoljarević

Mar 30

You might have noticed that I have spend some time in my Quadlets Repo, taking care of some Grafana stuff.

Took me a bit to understand it but I’m quite happy with the result.

Check it out if you’d like to deploy your Grafana instance with a few extras in your homelab!

https://codeberg.org/Spoljarevic/Quadlets/src/branch/master/rootless/containers/systemd/Monitoring%20-%20prometheus%20and%20grafana

#git #codeberg #monitoring #grafana #prometheus #NodeExporter #podmanexporter #tailscale #tailscaleexporter #podman #quadlet #quadlets #rootless

Quadlets

Containers are an essential skill for every Sysadmin. Red Hat's Podman makes this easy and secure with rootless Containers. But a normal container or Compose needs to be started manually, Quadlets change that. Use my presents and convert them into SystemD Services with the Wiki Page I wrote.

Codeberg.org

Sebastian Lohmann Mar 29

RE: https://social.wildeboer.net/@jwildeboer/115890302649611807

Thanks for that hint, @jwildeboer! Immich is up and running - import of my families libraries will take a while though… #Immich #Podman #rootless #SelfHosting