--- title: "Disallow Proc Mount" url: https://docs.nirmata.io/docs/policy-sets/podsecurity/baseline/disallow-proc-mount/ --- ### Description The default /proc masks are set up to reduce attack surface, and should be required. This security control ensures nothing but the default procMount can be specified. **Restricted Fields** * spec.containers[*].securityContext.procMount * spec.initContainers[*].securityContext.procMount * spec.ephemeralContainers[*].securityContext.procMount **Allowed Values** * Undefined/nil * Default ### Risks It is recommended that you use the `Default` procMount as it defaults for readonly and masked paths for `/proc`. Most container runtimes mask certain paths in `/proc` to avoid accidental security exposure of special devices or information. When `procMount` is set to `Unmasked`, we encounter the following risks: * `Exposure of Sensitive Information`: With "Unmasked", the container has access to the entire `/proc` filesystem without restrictions. This can expose sensitive information about the host such as `cpuinfo`, `devices`, `diskstats` and other system related information. * `Increased Attack Surface`: An unmasked `/proc` can reveal detailed information about system processes and kernel internals. This can assist attackers in crafting more targeted attacks or exploits. ### Kyverno Policy Refer to the Nirmata curated policies - [disallow-proc-mount.yaml](https://github.com/nirmata/kyverno-policies/blob/main/pod-security/baseline/disallow-proc-mount/disallow-proc-mount.yaml) ### References #### Configuration Settings The below configuration indicates that if the deployed resource contains one of `ephemeralContainers` or `initContainers` or `containers` in their `spec` field, **AND** if `securityContext.procMount` field is present, then the only acceptable value is `Default` to be conformant with this security control. If the `securityContext` field is not present, then the resource is conformant by default. ```bash =(ephemeralContainers): - =(securityContext): =(procMount): "Default" =(initContainers): - =(securityContext): =(procMount): "Default" containers: - =(securityContext): =(procMount): "Default" ``` #### Resource Example Below is a `Deployment` resource example where `securityContext.procMount` is set to `Default` for both `initContainers` and `containers`. ```bash apiVersion: apps/v1 kind: Deployment metadata: name: gooddeployment spec: replicas: 1 selector: matchLabels: app: app template: metadata: labels: app: app spec: initContainers: - name: initcontainer01 image: dummyimagename securityContext: procMount: Default - name: initcontainer02 image: dummyimagename containers: - name: container01 image: dummyimagename securityContext: procMount: Default ```text