We run containers as a non-root user (no effective capabilities). Still, if a setuid binary is available in a container image, it could potentially be used to give the user the default capabilities that the container was started with. For Docker, the default set currently is: - "CAP_CHOWN" - "CAP_DAC_OVERRIDE" - "CAP_FSETID" - "CAP_FOWNER" - "CAP_MKNOD" - "CAP_NET_RAW" - "CAP_SETGID" - "CAP_SETUID" - "CAP_SETFCAP" - "CAP_SETPCAP" - "CAP_NET_BIND_SERVICE" - "CAP_SYS_CHROOT" - "CAP_KILL" - "CAP_AUDIT_WRITE" We'd rather prevent such a potential escalation by dropping ALL capabilities. The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
33 lines
1.1 KiB
Django/Jinja
33 lines
1.1 KiB
Django/Jinja
[Unit]
|
|
Description=Matrix Corporal
|
|
{% for service in matrix_corporal_systemd_required_services_list %}
|
|
Requires={{ service }}
|
|
After={{ service }}
|
|
{% endfor %}
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStartPre=-/usr/bin/docker kill matrix-corporal
|
|
ExecStartPre=-/usr/bin/docker rm matrix-corporal
|
|
ExecStart=/usr/bin/docker run --rm --name matrix-corporal \
|
|
--log-driver=none \
|
|
--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
|
|
--cap-drop=ALL \
|
|
--network={{ matrix_docker_network }} \
|
|
{% if matrix_corporal_container_expose_ports %}
|
|
-p 127.0.0.1:41080:41080 \
|
|
-p 127.0.0.1:41081:41081 \
|
|
{% endif %}
|
|
-v {{ matrix_corporal_config_dir_path }}:/etc/matrix-corporal:ro \
|
|
-v {{ matrix_corporal_cache_dir_path }}:/var/cache/matrix-corporal:rw \
|
|
-v {{ matrix_corporal_var_dir_path }}:/var/matrix-corporal:rw \
|
|
{{ matrix_corporal_docker_image }} \
|
|
/matrix-corporal -config=/etc/matrix-corporal/config.json
|
|
ExecStop=-/usr/bin/docker kill matrix-corporal
|
|
ExecStop=-/usr/bin/docker rm matrix-corporal
|
|
Restart=always
|
|
RestartSec=30
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|