From 2f89e7e2b40465df317be234bc80e0b843736df7 Mon Sep 17 00:00:00 2001
From: Girish Ramakrishnan <girish@cloudron.io>
Date: Fri, 15 May 2020 12:47:33 -0700
Subject: [PATCH] drop NET_RAW since this allows packet sniffing

this however breaks ping
---
 src/docker.js | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/docker.js b/src/docker.js
index b0cb09a2c..04a59c5bb 100644
--- a/src/docker.js
+++ b/src/docker.js
@@ -311,7 +311,8 @@ function createSubcontainer(app, name, cmd, options, callback) {
                 NetworkMode: 'cloudron', // user defined bridge network
                 Dns: ['172.18.0.1'], // use internal dns
                 DnsSearch: ['.'], // use internal dns
-                SecurityOpt: [ 'apparmor=docker-cloudron-app' ]
+                SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
+                CapDrop: [ 'NET_RAW' ] // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
             },
             NetworkingConfig: {
                 EndpointsConfig: {
@@ -325,7 +326,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
         var capabilities = manifest.capabilities || [];
         if (capabilities.includes('net_admin')) {
             containerOptions.HostConfig.CapAdd = [
-                'NET_ADMIN'
+                'NET_ADMIN', 'NET_RAW'
             ];
         }