On Fri, Apr 17, 2020 at 01:11:54AM -0500, Erik Stel wrote:
This would limit the ability to write, but you can't prohibit reading the filesystem I think. The VM needs to read the image for one thing. If the VM would allow FFI or OSProcess, would it be possible to limit application execution using container configuration? Because with FFI/OSProcess a (naughty) user could try to gain access to applications or data.
Hi Erik,
My VM is built on Alpine Linux. The official Alpine Linux Docker image is about 5MB. Adding the VM and plugins (including my own custom libsqlite3.so and some other shared libraries) gives a Docker image under 20MB. The size of your application - Smalltalk image, changes if required, other artefacts - is in your control of course.
While running the application using a non-root dedicated UID does not prohibit the VM from reading the filesystem (assuming your code allows it), using Alpine Linux means there is very little in the filesystem to be read at all.
See https://www.samadhiweb.com/tags/Alpine%20Linux for some blog posts. Github here: https://github.com/pharo-contributions/Docker-Alpine
It should be possible to implement more stringent controls using Linux filesystem ACLs or Docker configuration.
HTH.
Pierce