0xb00b5/firegex-traffic-viewer
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Dropped privileges from root to nobody, added capabilities with capsh

Browse Source
This commit is contained in:
DomySh
2022-08-02 13:13:58 +00:00
parent 41033c599e
commit 02ae916f58
4 changed files with 22 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files

17
Dockerfile
View File

@@ -2,7 +2,7 @@
FROM python:alpine FROM python:alpine
RUN apk update RUN apk update
RUN apk add g++ git pcre2-dev libnetfilter_queue-dev libpcap-dev libcrypto1.1 libnfnetlink-dev libmnl-dev make cmake nftables boost-dev RUN apk add g++ git pcre2-dev libnetfilter_queue-dev libpcap-dev libcrypto1.1 libnfnetlink-dev libmnl-dev make cmake nftables boost-dev libcap shadow bash
WORKDIR /tmp/ WORKDIR /tmp/
RUN git clone --single-branch --branch release https://github.com/jpcre2/jpcre2 RUN git clone --single-branch --branch release https://github.com/jpcre2/jpcre2
@@ -12,12 +12,19 @@ RUN ./configure; make; make install
WORKDIR /tmp/libtins WORKDIR /tmp/libtins
RUN mkdir build; cd build; cmake ../ -DLIBTINS_ENABLE_CXX11=1; make; make install RUN mkdir build; cd build; cmake ../ -DLIBTINS_ENABLE_CXX11=1; make; make install
RUN mkdir -p /execute/modules RUN mkdir -p /execute/modules
WORKDIR /execute WORKDIR /execute
ADD ./backend/requirements.txt /execute/requirements.txt ADD ./backend/requirements.txt /execute/requirements.txt
RUN pip3 install --no-cache-dir -r /execute/requirements.txt
RUN pip3 install --no-cache-dir -r /execute/requirements.txt --no-warn-script-location
RUN chown nobody:nobody -R /execute/
RUN usermod -d /tmp/nobody nobody && usermod --shell /bin/sh nobody
USER nobody
RUN mkdir /tmp/nobody
COPY ./backend/binsrc /execute/binsrc COPY ./backend/binsrc /execute/binsrc
@@ -25,9 +32,11 @@ ARG GCC_PARAMS
RUN g++ binsrc/nfqueue.cpp -o modules/cppqueue -O3 -march=native -lnetfilter_queue -pthread -lpcre2-8 -ltins -lmnl -lnfnetlink RUN g++ binsrc/nfqueue.cpp -o modules/cppqueue -O3 -march=native -lnetfilter_queue -pthread -lpcre2-8 -ltins -lmnl -lnfnetlink
RUN g++ binsrc/proxy.cpp -o modules/proxy -O3 -march=native $GCC_PARAMS -pthread -lboost_system -lboost_thread -lpcre2-8 RUN g++ binsrc/proxy.cpp -o modules/proxy -O3 -march=native $GCC_PARAMS -pthread -lboost_system -lboost_thread -lpcre2-8
COPY ./backend/ /execute/ COPY ./backend/ /execute/
COPY ./frontend/build/ ./frontend/ COPY ./frontend/build/ ./frontend/
ENTRYPOINT ["python3", "app.py", "DOCKER"] USER root
ENTRYPOINT ["/bin/sh", "/execute/docker-entrypoint.sh"]

4
backend/binsrc/nfqueue.cpp
View File

@@ -44,10 +44,6 @@ bool filter_callback(const uint8_t *data, uint32_t len){
int main(int argc, char *argv[]) int main(int argc, char *argv[])
{ {
if(!is_sudo()){
cerr << "[fatal] [main] You must be root to run this program" << endl;
exit(EXIT_FAILURE);
}
int n_of_threads = 1; int n_of_threads = 1;
if (argc >= 2) n_of_threads = atoi(argv[1]); if (argc >= 2) n_of_threads = atoi(argv[1]);
if(n_of_threads <= 0) n_of_threads = 1; if(n_of_threads <= 0) n_of_threads = 1;

5
backend/binsrc/utils.hpp
View File

@@ -20,9 +20,4 @@ bool unhexlify(std::string const &hex, std::string &newString) {
} }
} }
bool is_sudo(){
return getuid() == 0;
}
#endif #endif

9
backend/docker-entrypoint.sh Normal file
View File

@@ -0,0 +1,9 @@
#!/bin/sh
chown nobody:nobody -R /execute/
capsh --caps="cap_net_admin+eip cap_setpcap,cap_setuid,cap_setgid+ep" \
--keep=1 --user=nobody --addamb=cap_net_admin -- \
-c "python3 /execute/app.py DOCKER"