From 9438402f61560ac7e76e7569f341defd0bcd3159 Mon Sep 17 00:00:00 2001
From: Slavi Pantaleev <slavi@devture.com>
Date: Mon, 28 Jan 2019 11:43:32 +0200
Subject: [PATCH] Drop capabilities in a few more places

Continuation of 316d653d3e0530
---
 .../tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml   | 2 ++
 .../matrix-ssl-lets-encrypt-certificates-renew.j2            | 1 +
 roles/matrix-postgres/tasks/import_postgres.yml              | 1 +
 roles/matrix-postgres/tasks/import_sqlite_db.yml             | 5 +++--
 roles/matrix-postgres/tasks/upgrade_postgres.yml             | 1 +
 .../templates/usr-local-bin/matrix-make-user-admin.j2        | 2 ++
 .../templates/usr-local-bin/matrix-postgres-cli.j2           | 2 ++
 roles/matrix-synapse/tasks/setup_synapse_main.yml            | 1 +
 8 files changed, 13 insertions(+), 2 deletions(-)

diff --git a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
index 1882400e..8adc1e60 100644
--- a/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
+++ b/roles/matrix-nginx-proxy/tasks/ssl/setup_ssl_lets_encrypt_obtain_for_domain.yml
@@ -20,6 +20,7 @@
     --rm
     --name=matrix-certbot
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
     -p 80:8080
     -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
     -v {{ matrix_ssl_log_dir_path }}:/var/log/letsencrypt
@@ -46,6 +47,7 @@
     --rm
     --name=matrix-certbot
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
     -p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080
     --network={{ matrix_docker_network }}
     -v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt
diff --git a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2 b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
index b723da38..1b36acaf 100644
--- a/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
+++ b/roles/matrix-nginx-proxy/templates/usr-local-bin/matrix-ssl-lets-encrypt-certificates-renew.j2
@@ -10,6 +10,7 @@ docker run \
 	--rm \
 	--name=matrix-certbot \
 	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
 	--network="{{ matrix_docker_network }}" \
 	-p 127.0.0.1:{{ matrix_ssl_lets_encrypt_certbot_standalone_http_port }}:8080 \
 	-v {{ matrix_ssl_config_dir_path }}:/etc/letsencrypt \
diff --git a/roles/matrix-postgres/tasks/import_postgres.yml b/roles/matrix-postgres/tasks/import_postgres.yml
index 17590023..9f1c15c0 100644
--- a/roles/matrix-postgres/tasks/import_postgres.yml
+++ b/roles/matrix-postgres/tasks/import_postgres.yml
@@ -61,6 +61,7 @@
     matrix_postgres_import_command: >-
       /usr/bin/docker run --rm --name matrix-postgres-import
       --user={{ matrix_user_uid }}:{{ matrix_user_gid }}
+      --cap-drop=ALL
       --network={{ matrix_docker_network }}
       --env-file={{ matrix_postgres_base_path }}/env-postgres-psql
       -v {{ server_path_postgres_dump }}:/{{ server_path_postgres_dump|basename }}:ro
diff --git a/roles/matrix-postgres/tasks/import_sqlite_db.yml b/roles/matrix-postgres/tasks/import_sqlite_db.yml
index b3cf75be..c989dca9 100644
--- a/roles/matrix-postgres/tasks/import_sqlite_db.yml
+++ b/roles/matrix-postgres/tasks/import_sqlite_db.yml
@@ -79,11 +79,12 @@
     detach: no
     cleanup: yes
     entrypoint: /usr/local/bin/python
-    command: "/usr/local/bin/synapse_port_db --sqlite-database {{ server_path_homeserver_db }} --postgres-config /data/homeserver.yaml"
+    command: "/usr/local/bin/synapse_port_db --sqlite-database /{{ server_path_homeserver_db|basename }} --postgres-config /data/homeserver.yaml"
     user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
+    cap_drop: ['all']
     volumes:
       - "{{ matrix_synapse_config_dir_path }}:/data"
       - "{{ matrix_synapse_run_path }}:/matrix-run"
-      - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db }}:ro"
+      - "{{ server_path_homeserver_db }}:/{{ server_path_homeserver_db|basename }}:ro"
     networks:
       - name: "{{ matrix_docker_network }}"
diff --git a/roles/matrix-postgres/tasks/upgrade_postgres.yml b/roles/matrix-postgres/tasks/upgrade_postgres.yml
index e1fcf639..c32634b9 100644
--- a/roles/matrix-postgres/tasks/upgrade_postgres.yml
+++ b/roles/matrix-postgres/tasks/upgrade_postgres.yml
@@ -106,6 +106,7 @@
   command: |
     /usr/bin/docker run --rm --name matrix-postgres-import \
     --user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
     --network={{ matrix_docker_network }} \
     --env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
     -v {{ postgres_dump_dir }}:/in:ro \
diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
index 7b8fba37..5f474453 100644
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-make-user-admin.j2
@@ -8,6 +8,8 @@ fi
 docker run \
 	-it \
 	--rm \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \
diff --git a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2 b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
index 07e1f43b..34836629 100644
--- a/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
+++ b/roles/matrix-postgres/templates/usr-local-bin/matrix-postgres-cli.j2
@@ -3,6 +3,8 @@
 docker run \
 	-it \
 	--rm \
+	--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
+    --cap-drop=ALL \
 	--env-file={{ matrix_postgres_base_path }}/env-postgres-psql \
 	--network {{ matrix_docker_network }} \
 	{{ matrix_postgres_docker_image_to_use }} \
diff --git a/roles/matrix-synapse/tasks/setup_synapse_main.yml b/roles/matrix-synapse/tasks/setup_synapse_main.yml
index 7d86428c..57a296bc 100644
--- a/roles/matrix-synapse/tasks/setup_synapse_main.yml
+++ b/roles/matrix-synapse/tasks/setup_synapse_main.yml
@@ -41,6 +41,7 @@
       SYNAPSE_SERVER_NAME: "{{ hostname_matrix }}"
       SYNAPSE_REPORT_STATS: "no"
     user: "{{ matrix_user_uid }}:{{ matrix_user_gid }}"
+    cap_drop: ['all']
     volumes:
       - "{{ matrix_synapse_config_dir_path }}:/data"
   when: "not matrix_synapse_config_stat.stat.exists"