jowj/matrix-docker-ansible-deploy
1
0
Fork 0
forked from mirrors/matrix-docker-ansible-deploy
Code Issues Pull Requests Releases Wiki Activity
316d653d3e
matrix-docker-ansible-deploy/roles/matrix-synapse/templates/synapse
History
Slavi Pantaleev 316d653d3e Drop capabilities in containers 
We run containers as a non-root user (no effective capabilities).

Still, if a setuid binary is available in a container image, it could
potentially be used to give the user the default capabilities that the
container was started with. For Docker, the default set currently is:
- "CAP_CHOWN"
- "CAP_DAC_OVERRIDE"
- "CAP_FSETID"
- "CAP_FOWNER"
- "CAP_MKNOD"
- "CAP_NET_RAW"
- "CAP_SETGID"
- "CAP_SETUID"
- "CAP_SETFCAP"
- "CAP_SETPCAP"
- "CAP_NET_BIND_SERVICE"
- "CAP_SYS_CHROOT"
- "CAP_KILL"
- "CAP_AUDIT_WRITE"

We'd rather prevent such a potential escalation by dropping ALL
capabilities.

The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
2019-01-28 11:22:54 +02:00
..
systemd Drop capabilities in containers 2019-01-28 11:22:54 +02:00
usr-local-bin Indent (non-YAML) using tabs 2019-01-26 09:37:29 +02:00
env-synapse.j2
homeserver.yaml.j2 Make roles more independent of one another 2019-01-16 18:05:48 +02:00
synapse.log.config.j2