Security & Hardening

This document outlines the security policy for macpine and provides recommendations for hardening your virtual machine instances.

Security Policy

As macpine is under active development, security is currently considered secondary to functionality. It is not recommended that this project be used in security-critical production use cases at this time.

Reporting Vulnerabilities

If you discover a security issue in macpine itself or its specific use of dependencies, you are encouraged to create a new issue on GitHub. Please check existing open and closed issues first to avoid duplicates.

Pull requests that address vulnerabilities are welcome. Please provide documentation of the issue and how your changes resolve it. All contributions are subject to the project's Apache 2.0 License.

Hardening Recommendations

You can take several steps to improve the security of your macpine instances.

1. Use SSH Key Authentication

This is the single most effective way to secure your VM. By disabling password authentication, you protect it from brute-force attacks.

  1. Configure SSH Agent: Set up your ~/.ssh/config to use a key for your VM. See the Configuration Guide for an example.

  2. Update config.yaml: Change sshpassword to use the ssh backend (e.g., sshpassword: "ssh::alpine").

  3. Disable Password Login: SSH into your VM and edit /etc/ssh/sshd_config. Set the following options: 

    PasswordAuthentication no
PermitRootLogin prohibit-password

  4. Restart the SSH service inside the VM: 

    rc-service sshd restart

2. Limit Exposed Ports

  • Only forward the ports that are absolutely necessary for your services to function.
  • qemu port forwarding binds to 0.0.0.0 by default, meaning any device on your network can potentially access the forwarded ports. Enable the macOS firewall to prevent unwanted ingress traffic to the guest VM.

3. Use Unprivileged Users and Ports

  • Inside the VM, run your services as a dedicated, non-root user whenever possible.
  • Run services on unprivileged ports (greater than 1024).

4. Be Cautious with Emulation

According to the QEMU Security Information, the Tiny Code Generator (TCG) used for cross-architecture emulation (e.g., running an x86_64 VM on an ARM Mac) is not developed with security as a primary goal. Guests emulated using TCG must be considered trusted.

5. Keep the System Updated

Regularly run apk update && apk upgrade inside your Alpine VMs to ensure you have the latest security patches for all installed packages.