mirror/matrix-docker-ansible-deploy
1
0
Fork 0
mirror of https://github.com/spantaleev/matrix-docker-ansible-deploy.git synced 2025-08-13 10:21:31 +02:00
Code Issues Packages Projects Releases Wiki Activity
Files
docs
examples
group_vars
inventory
roles
matrix-base
matrix-common-after
matrix-corporal
matrix-coturn
matrix-mailer
matrix-mxisd
matrix-nginx-proxy
matrix-postgres
defaults
tasks
templates
matrix-riot-web
matrix-synapse
.gitignore
CHANGELOG.md
LICENSE
README.md
ansible.cfg
setup.yml
316d653d3e0530d11f7f3a8a6b3f8cf97daaf0f8
matrix-docker-ansible-deploy/roles/matrix-postgres
History
Slavi Pantaleev 316d653d3e Drop capabilities in containers 
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
..
defaults
Make roles more independent of one another
2019-01-16 18:05:48 +02:00
tasks
Make (most) containers start as non-root
2019-01-27 20:25:13 +02:00
templates
Drop capabilities in containers
2019-01-28 11:22:54 +02:00