jjkiers/cloudron-box
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

drop NET_RAW since this allows packet sniffing

Browse Source 
this however breaks ping
This commit is contained in:
Girish Ramakrishnan
2020-05-15 12:47:33 -07:00
parent 437f39deb3
commit 2f89e7e2b4
1 changed files with 3 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/docker.js
+3 -2
View File
@@ -311,7 +311,8 @@ function createSubcontainer(app, name, cmd, options, callback) {
NetworkMode: 'cloudron', // user defined bridge network NetworkMode: 'cloudron', // user defined bridge network
Dns: ['172.18.0.1'], // use internal dns Dns: ['172.18.0.1'], // use internal dns
DnsSearch: ['.'], // use internal dns DnsSearch: ['.'], // use internal dns
SecurityOpt: [ 'apparmor=docker-cloudron-app' ] SecurityOpt: [ 'apparmor=docker-cloudron-app' ],
CapDrop: [ 'NET_RAW' ] // https://docs-stage.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
}, },
NetworkingConfig: { NetworkingConfig: {
EndpointsConfig: { EndpointsConfig: {
@@ -325,7 +326,7 @@ function createSubcontainer(app, name, cmd, options, callback) {
var capabilities = manifest.capabilities || []; var capabilities = manifest.capabilities || [];
if (capabilities.includes('net_admin')) { if (capabilities.includes('net_admin')) {
containerOptions.HostConfig.CapAdd = [ containerOptions.HostConfig.CapAdd = [
'NET_ADMIN' 'NET_ADMIN', 'NET_RAW'
]; ];
} }