mirror of
https://github.com/spantaleev/matrix-docker-ansible-deploy.git
synced 2024-12-12 08:43:55 +02:00
316d653d3e
We run containers as a non-root user (no effective capabilities). Still, if a setuid binary is available in a container image, it could potentially be used to give the user the default capabilities that the container was started with. For Docker, the default set currently is: - "CAP_CHOWN" - "CAP_DAC_OVERRIDE" - "CAP_FSETID" - "CAP_FOWNER" - "CAP_MKNOD" - "CAP_NET_RAW" - "CAP_SETGID" - "CAP_SETUID" - "CAP_SETFCAP" - "CAP_SETPCAP" - "CAP_NET_BIND_SERVICE" - "CAP_SYS_CHROOT" - "CAP_KILL" - "CAP_AUDIT_WRITE" We'd rather prevent such a potential escalation by dropping ALL capabilities. The problem is nicely explained here: https://github.com/projectatomic/atomic-site/issues/203
25 lines
717 B
Django/Jinja
25 lines
717 B
Django/Jinja
[Unit]
|
|
Description=Matrix mailer
|
|
After=docker.service
|
|
Requires=docker.service
|
|
|
|
[Service]
|
|
Type=simple
|
|
ExecStartPre=-/usr/bin/docker kill matrix-mailer
|
|
ExecStartPre=-/usr/bin/docker rm matrix-mailer
|
|
ExecStart=/usr/bin/docker run --rm --name matrix-mailer \
|
|
--log-driver=none \
|
|
--user={{ matrix_mailer_container_user_uid }}:{{ matrix_mailer_container_user_gid }} \
|
|
--cap-drop=ALL \
|
|
--network={{ matrix_docker_network }} \
|
|
--env-file={{ matrix_mailer_base_path }}/env-mailer \
|
|
--hostname={{ hostname_matrix }} \
|
|
{{ matrix_mailer_docker_image }}
|
|
ExecStop=-/usr/bin/docker kill matrix-mailer
|
|
ExecStop=-/usr/bin/docker rm matrix-mailer
|
|
Restart=always
|
|
RestartSec=30
|
|
|
|
[Install]
|
|
WantedBy=multi-user.target
|