From bf1033145614663e490c69790e5830f059cffb3d Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Mon, 28 Jan 2019 15:55:58 +0200
Subject: [PATCH] Make mautrix-whatsapp run as non-root and w/o capabilities

---
 .../tasks/ext/mautrix-telegram/setup.yml      |  6 ++---
 .../tasks/ext/mautrix-whatsapp/setup.yml      | 26 ++++++++++++++-----
 .../matrix-mautrix-whatsapp.service.j2        |  7 +++--
 3 files changed, 27 insertions(+), 12 deletions(-)

diff --git a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml
index 6bf97e22c..189c9356a 100644
--- a/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml
+++ b/roles/matrix-synapse/tasks/ext/mautrix-telegram/setup.yml
@@ -17,7 +17,7 @@
 - name: Check if a mautrix-telegram configuration file exists
   stat:
     path: "{{ matrix_mautrix_telegram_base_path }}/config.yaml"
-  register: mautrix_config_file_stat
+  register: mautrix_telegram_config_file_stat
 
 - name: Ensure Matrix Mautrix telegram config installed
   template:
@@ -26,7 +26,7 @@
     mode: 0644
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
-  when: "matrix_mautrix_telegram_enabled and not mautrix_config_file_stat.stat.exists"
+  when: "matrix_mautrix_telegram_enabled and not mautrix_telegram_config_file_stat.stat.exists"
 
 - name: (Migration) Fix up old configuration
   lineinfile:
@@ -37,7 +37,7 @@
   with_items:
     - {'regexp': '^(\s+)filename: \./mautrix-telegram.log', 'line': '\1filename: /data/mautrix-telegram.log'}
     - {'regexp': '^(\s+)database:', 'line': '\1database: sqlite:////data/mautrix-telegram.db'}
-  when: "matrix_mautrix_telegram_enabled and mautrix_config_file_stat.stat.exists"
+  when: "matrix_mautrix_telegram_enabled and mautrix_telegram_config_file_stat.stat.exists"
 
 - name: Ensure matrix-mautrix-telegram.service installed
   template:
diff --git a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml
index ee9b3358c..3c22c62c0 100644
--- a/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml
+++ b/roles/matrix-synapse/tasks/ext/mautrix-whatsapp/setup.yml
@@ -14,8 +14,10 @@
     group: "{{ matrix_user_username }}"
   when: "matrix_mautrix_whatsapp_enabled"
 
-- stat: "path={{ matrix_mautrix_whatsapp_base_path }}/config.yaml"
-  register: mautrix_config_file
+- name: Check if a mautrix-whatsapp configuration file exists
+  stat:
+    path: "{{ matrix_mautrix_whatsapp_base_path }}/config.yaml"
+  register: mautrix_whatsapp_config_file_stat
 
 - name: Ensure Matrix Mautrix whatsapp config installed
   template:
@@ -24,7 +26,7 @@
     mode: 0644
     owner: "{{ matrix_user_username }}"
     group: "{{ matrix_user_username }}"
-  when: "matrix_mautrix_whatsapp_enabled and mautrix_config_file.stat.exists == False"
+  when: "matrix_mautrix_whatsapp_enabled and not mautrix_whatsapp_config_file_stat.stat.exists"
 
 - name: Ensure matrix-mautrix-whatsapp.service installed
   template:
@@ -33,13 +35,23 @@
     mode: 0644
   when: "matrix_mautrix_whatsapp_enabled"
 
-- stat:
+- name: Check if a mautrix-whatsapp registration file exists
+  stat:
     path: "{{ matrix_mautrix_whatsapp_base_path }}/registration.yaml"
-  register: mautrix_whatsapp_registration_file
+  register: mautrix_whatsapp_registration_file_stat
 
 - name: Generate matrix-mautrix-whatsapp registration.yaml if it doesn't exist
-  shell: /usr/bin/docker run --rm --name matrix-mautrix-whatsapp-gen -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z {{ matrix_mautrix_whatsapp_docker_image }} /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml
-  when: "matrix_mautrix_whatsapp_enabled and mautrix_whatsapp_registration_file.stat.exists == False"
+  shell:
+    cmd: >-
+      /usr/bin/docker run
+      --rm
+      --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
+      --name matrix-mautrix-whatsapp-gen
+      -v {{ matrix_mautrix_whatsapp_base_path }}:/data:z
+      {{ matrix_mautrix_whatsapp_docker_image }}
+      /usr/bin/mautrix-whatsapp -g -c /data/config.yaml -r /data/registration.yaml
+  when: "matrix_mautrix_whatsapp_enabled and not mautrix_whatsapp_registration_file_stat.stat.exists"
 
 - set_fact:
     matrix_synapse_app_service_config_file_mautrix_whatsapp: '/app-registration/mautrix-whatsapp.yml'
diff --git a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2 b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
index e90b7a9ed..bb4194aaa 100644
--- a/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
+++ b/roles/matrix-synapse/templates/ext/mautrix-whatsapp/systemd/matrix-mautrix-whatsapp.service.j2
@@ -11,10 +11,13 @@ ExecStartPre=-/usr/bin/docker kill matrix-mautrix-whatsapp
 ExecStartPre=-/usr/bin/docker rm matrix-mautrix-whatsapp
 ExecStart=/usr/bin/docker run --rm --name matrix-mautrix-whatsapp \
 			--log-driver=none \
-			-e "UID={{ matrix_user_uid }}" -e "GID={{ matrix_user_gid }}" \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+			--cap-drop=ALL \
 			--network={{ matrix_docker_network }} \
 			-v {{ matrix_mautrix_whatsapp_base_path }}:/data:z \
-			{{ matrix_mautrix_whatsapp_docker_image }}
+			--workdir=/data \
+			{{ matrix_mautrix_whatsapp_docker_image }} \
+			/usr/bin/mautrix-whatsapp
 ExecStop=-/usr/bin/docker kill matrix-mautrix-whatsapp
 ExecStop=-/usr/bin/docker rm matrix-mautrix-whatsapp
 Restart=always