0xb00b5/firegex-traffic-viewer
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Dropped privileges from root to nobody, added capabilities with capsh

Browse Source
This commit is contained in:
DomySh
2022-08-02 13:13:58 +00:00
parent 41033c599e
commit 02ae916f58
4 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
Dockerfile
View File

@@ -2,7 +2,7 @@
FROM python:alpine
RUN apk update
RUN apk add g++ git pcre2-dev libnetfilter_queue-dev libpcap-dev libcrypto1.1 libnfnetlink-dev libmnl-dev make cmake nftables boost-dev
RUN apk add g++ git pcre2-dev libnetfilter_queue-dev libpcap-dev libcrypto1.1 libnfnetlink-dev libmnl-dev make cmake nftables boost-dev libcap shadow bash
WORKDIR /tmp/
RUN git clone --single-branch --branch release https://github.com/jpcre2/jpcre2
@@ -12,12 +12,19 @@ RUN ./configure; make; make install
WORKDIR /tmp/libtins
RUN mkdir build; cd build; cmake ../ -DLIBTINS_ENABLE_CXX11=1; make; make install
RUN mkdir -p /execute/modules
WORKDIR /execute
ADD ./backend/requirements.txt /execute/requirements.txt
RUN pip3 install --no-cache-dir -r /execute/requirements.txt
RUN pip3 install --no-cache-dir -r /execute/requirements.txt --no-warn-script-location
RUN chown nobody:nobody -R /execute/
RUN usermod -d /tmp/nobody nobody && usermod --shell /bin/sh nobody
USER nobody
RUN mkdir /tmp/nobody
COPY ./backend/binsrc /execute/binsrc
@@ -25,9 +32,11 @@ ARG GCC_PARAMS
RUN g++ binsrc/nfqueue.cpp -o modules/cppqueue -O3 -march=native -lnetfilter_queue -pthread -lpcre2-8 -ltins -lmnl -lnfnetlink
RUN g++ binsrc/proxy.cpp -o modules/proxy -O3 -march=native $GCC_PARAMS -pthread -lboost_system -lboost_thread -lpcre2-8
COPY ./backend/ /execute/
COPY ./frontend/build/ ./frontend/
ENTRYPOINT ["python3", "app.py", "DOCKER"]
USER root
ENTRYPOINT ["/bin/sh", "/execute/docker-entrypoint.sh"]