Security Architecture

We operate under a simple assumption: Every line of code is malicious.

The classic :(){:|:&};: attack attempts to crash the host by spawning infinite processes.

Defense: Strict pids_limit (max 64 processes) on every container.

Preventing reverse shells, malware downloads, and internal network scanning.

Defense: Containers run with network_mode: none. Zero TCP/UDP packets leave the sandbox.

Blocking modification of system binaries (/bin, /usr) and configuration files.

Defense: Root filesystem is mounted read-only. Writes are restricted to a temporary /tmp volume.

Even if a runtime escape occurs, the process has no capabilities to harm the host kernel.

Defense: --cap-drop=ALL removes all Linux capabilities. no-new-privileges flag is enforced.

Security is a moving target. If you find a vulnerability, please report it.