From 30a0e09a22ab0d78816cfaf317736b631e1ec3bf Mon Sep 17 00:00:00 2001
From: eternal-flame-AD <yume@yumechi.jp>
Date: Wed, 20 Nov 2024 06:18:43 -0600
Subject: [PATCH] Update README

Signed-off-by: eternal-flame-AD <yume@yumechi.jp>
---
 README.md | 28 +++++++++++++++++++++++++---
 1 file changed, 25 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 95c2f00..cd7bc7a 100644
--- a/README.md
+++ b/README.md
@@ -17,10 +17,11 @@ Work in progress! Currently to do:
 - [X] Read config from Cloudflare
 - [X] Timing and Rate-limiting headers (some not available on Cloudflare Workers)
    - [X] Tiered rate-limiting
-- [ ] Lossy WebP on CF Workers
+- [ ] Lossy WebP on CF Workers (maybe already works?)
 - [ ] Cache Results on Cloudflare KV.
 - [ ] Handle all possible panics reported by Clippy
 - [X] Sandboxing the image rendering
+- [X] Prometheus-format metrics
 
 ## Demo
 
@@ -53,8 +54,10 @@ Image:
       1. Edit `local.toml` to your liking. The documentations can be opened with `cargo doc --open`.
 
       2. Test run with `cargo run --features env-local -- -c local.toml`. Additional features `apparmor` and `reuse-port` are available for Linux users.
+         
+         If you do not use the `apparmor` feature, you need to remove the `apparmor` stanza from the configuration file or the program will refuse to start. The `reuse-port` feature is not necessary but may improve performance on Linux in high-traffic environments.
 
-      3. Build with `cargo build --features env-local --profile release-local`. The built binary will be in `target/release-local/yumechi-no-kuni-proxy-worker`. You can consider setting `RUSTFLAGS="-Ctarget-cpu=native"` for better performance.
+      3. Build with `cargo build --features env-local --profile release-local`. The built binary will be in `target/release-local/yumechi-no-kuni-proxy-worker`. You can consider setting `RUSTFLAGS="-Ctarget-cpu=native"` for better performance. Be prepared for ~5 minutes of build time due to link time optimization.
 
       4. The only flag understood is `-c` for the configuration file. The configuration file is in TOML format. However, the `RUST_LOG` environment variable will change the log level. The log level is `info` by default if the environment variable is not set.
    
@@ -72,7 +75,26 @@ Image:
    
       8. Edit `wrangler.toml` to your liking. Everything in the `[vars]` section maps directly into the `config` section of the TOML configuration file. There is a `cf-worker-paid` feature set which enable some additional features that will never fit in the free plan, mainly SVG font rendering and some debugging features.
 
-      9. Test locally with `wrangler dev`.
+      9.  Test locally with `wrangler dev`.
 
       10. Deploy with `wrangler deploy --outdir bundled/`.
 
+## AppArmor
+
+AppArmor is a Mandatory Access Control Linux security module that can be used to heavily restrict the actions of tasks.
+
+It is much more secure than Docker and I recommend using AppArmor instead of Docker for isolation, mainly because:
+
+- Docker is not designed for security but for convenience.
+- Docker only creates a new namespace but do not actually police the actions of the task.
+- There is no dynamic privilege reduction in Docker, so if the image parsing is compromised at the very least your whole container is compromised.
+- AFAIK there are no known bypasses for AppArmor, but there are known bypasses for Docker.
+
+To use AppArmor, you need to have the apparmor LSM loaded into kernel (should be just a kernel parameter) and load the `mac/apparmor/yumechi-no-kuni-proxy-worker` profile into the system. You might want to adjust the path to your binary and configuration file, or alternatively use the systemd `AppArmorProfile` directive to confine the worker.
+
+All major distros should have an easy-to-follow guide on how to do this. Typically add a kernel parameter and install a userspace tool package.
+
+This will create a highly restrictive environment: try it yourself with `aa-exec -p yumechi-no-kuni-proxy-worker [initial_foothold]` and see if you can break out :). And that is just the first layer of defense, try the more restrictive subprofiles:
+
+- `yumechi-no-kuni-proxy-worker//serve`: irreversibly dropped into before listening on the network begins. Restrict loading additional code and access to configuration files.
+- `yumechi-no-kuni-proxy-worker//serve//image`: absolutely no file, network or capability access.
\ No newline at end of file