disable access to control routes via 192.168.127.1

[ghost]

Using the podman machine, containers can access forwarder controls via curl -s 192.168.127.1/.... This behavior should probably be disabled or gated in some way.

It has security implications if end users decide to use podman to host containerized applications on Mac for example, which is something that absolutely happens with Docker for Desktop on Mac.

[guillaumerose]

Yes good idea. We could do that with a certificate that can be mounted in the VM.

[ghost]

What do you think about adding functionality to create unix sockets on VMs that route to services?

Thinking I would like to increase the level of effort to access this to be file system access (or container escape).

[guillaumerose]

What do you think about adding functionality to create unix sockets on VMs that route to services?

It would imply something new in the VM to handle that no? A process or a good systemd magic configuration?

[ghost]

Could probably take advantage of an ssh client similar to what is being done for unix2unix sockets in the forwarder service. The access is very specific to tools like podman.