Differences From Artifact [5949bb4cf1]:
- Executable file Makefile.in — part of check-in [f715add938] at 2022-08-29 17:54:35 on branch trunk — Researched, tested, and documented the set of "docker create --cap-drop" options we can add to strip away unnecessary root privileges inside the container without harming normal operation. Belt-and-suspenders: if any bad actor ever got into the container with root privileges, this would help prevent them from affecting anything outside the container. Added that set to the "make container-run" target so they get applied by default in the easy case. (user: wyoung size: 4700)
To Artifact [db54f02179]:
- Executable file Makefile.in — part of check-in [bc09e28a26] at 2022-08-30 01:49:29 on branch trunk — Embroidered the "make container-run" target to make it more convenient. (user: wyoung size: 4779) [more...]
| ︙ | ︙ | |||
131 132 133 134 135 136 137 138 139 140 141 142 | --cap-drop FSETID \ --cap-drop KILL \ --cap-drop MKNOD \ --cap-drop NET_BIND_SERVICE \ --cap-drop NET_RAW \ --cap-drop SETFCAP \ --cap-drop SETPCAP \ $(DRFLAGS) fossil:@FOSSIL_CI_PFX@ @srcdir@/Dockerfile: @srcdir@/Dockerfile.in @srcdir@/manifest.uuid @AUTOREMAKE@ | > > | 131 132 133 134 135 136 137 138 139 140 141 142 143 144 | --cap-drop FSETID \ --cap-drop KILL \ --cap-drop MKNOD \ --cap-drop NET_BIND_SERVICE \ --cap-drop NET_RAW \ --cap-drop SETFCAP \ --cap-drop SETPCAP \ --detach --publish 8080:8080 \ $(DRFLAGS) fossil:@FOSSIL_CI_PFX@ docker container logs fossil-@FOSSIL_CI_PFX@ @srcdir@/Dockerfile: @srcdir@/Dockerfile.in @srcdir@/manifest.uuid @AUTOREMAKE@ |