feat(security): add plugin signature allowlisting and security hardening
Implement Phase 3 of Custom DNS Provider Plugin Support with comprehensive
security controls for external plugin loading.
Add CHARON_PLUGIN_SIGNATURES env var for SHA-256 signature allowlisting
Support permissive (unset), strict ({}), and allowlist modes
Add directory permission verification (reject world-writable)
Configure container with non-root user and read-only plugin mount option
Add 22+ security tests for permissions, signatures, and allowlist logic
Create plugin-security.md operator documentation
Security controls:
Signature verification with sha256: prefix requirement
World-writable directory rejection
Non-root container execution (charon user UID 1000)
Read-only mount support for production deployments
Documented TOCTOU mitigation with atomic deployment workflow
This commit is contained in:
GitHub Actions
@@ -47,6 +47,7 @@ services:
|
||||
- caddy_data:/data
|
||||
- caddy_config:/config
|
||||
- crowdsec_data:/app/data/crowdsec
|
||||
- plugins_data:/app/plugins:ro # Read-only in production for security
|
||||
- /var/run/docker.sock:/var/run/docker.sock:ro # For local container discovery
|
||||
# Mount your existing Caddyfile for automatic import (optional)
|
||||
# - ./my-existing-Caddyfile:/import/Caddyfile:ro
|
||||
@@ -67,3 +68,5 @@ volumes:
|
||||
driver: local
|
||||
crowdsec_data:
|
||||
driver: local
|
||||
plugins_data:
|
||||
driver: local
|
||||
|
||||
Reference in New Issue
Block a user