17 lines
501 B
YAML
17 lines
501 B
YAML
services:
|
|
tool-exec-monty:
|
|
security_opt:
|
|
- no-new-privileges:true
|
|
- seccomp:./infra/seccomp/monty-no-network.json
|
|
# AppArmor requires the profile be loaded on the host:
|
|
# sudo apparmor_parser -r -W infra/apparmor/threegate-monty
|
|
# Then enable:
|
|
# - apparmor:threegate-monty
|
|
read_only: true
|
|
tmpfs:
|
|
- /tmp:rw,noexec,nosuid,nodev,size=64m
|
|
- /var/tmp:rw,noexec,nosuid,nodev,size=64m
|
|
cap_drop:
|
|
- ALL
|
|
profiles: ["monty-hardened"]
|