Dropped privileges from root to nobody, added capabilities with capsh

backend/binsrc/nfqueue.cpp

@@ -44,10 +44,6 @@ bool filter_callback(const uint8_t *data, uint32_t len){
 
 int main(int argc, char *argv[])
 {
-	if(!is_sudo()){
-		cerr << "[fatal] [main] You must be root to run this program" << endl;
-		exit(EXIT_FAILURE);
-	}
 	int n_of_threads = 1;
 	if (argc >= 2) n_of_threads = atoi(argv[1]);
 	if(n_of_threads <= 0) n_of_threads = 1;

backend/binsrc/utils.hpp

@@ -20,9 +20,4 @@ bool unhexlify(std::string const &hex, std::string &newString) {
    }
 }
 
-
-bool is_sudo(){
-	return getuid() == 0;
-}
-
 #endif

backend/docker-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/sh
+
+chown nobody:nobody -R /execute/
+
+capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" \
+    --keep=1 --user=nobody --addamb=cap_net_admin -- \
+    -c "python3 /execute/app.py DOCKER"
+
+