NoNewPrivileges on most containers. drop all caps on a few others

2026-01-11 14:11:56 +07:00 · 2026-01-11 14:11:56 +07:00 · b3e4af5aca
commit b3e4af5aca
parent fb2dd2c723
36 changed files with 80 additions and 1 deletions
--- a/beeper/etc/containers/systemd/aode/aode-relay.container
+++ b/beeper/etc/containers/systemd/aode/aode-relay.container
@ -8,6 +8,9 @@ EnvironmentFile=/etc/containers/systemd/aode/.env.secrets
 EnvironmentFile=/etc/containers/systemd/aode/.env
 PublishPort=127.0.0.1:19438:8080
 Volume=/var/containers/aode/data:/db:Z
 # Security
 NoNewPrivileges=true
 DropCapability=ALL
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/ask-js/ask-js.container
+++ b/beeper/etc/containers/systemd/ask-js/ask-js.container
@ -10,6 +10,9 @@ Network=ask-js.network
 Network=postgresql.network
 PublishPort=127.0.0.1:20617:3579
 Volume=/var/containers/ask-js/config:/app/config:ro,Z
 # Security
 NoNewPrivileges=true
 DropCapability=ALL
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/caddy/caddy.container
+++ b/beeper/etc/containers/systemd/caddy/caddy.container
@ -3,7 +3,6 @@ Description=Caddy reverse proxy
 [Container]
 ContainerName=caddy
 AddCapability=NET_ADMIN
 Image=ghcr.io/zenfyrdev/caddy:latest
 Network=host
 Volume=/etc/caddy:/etc/caddy:z
@ -11,6 +10,10 @@ Volume=/var/containers/caddy/config:/config:z
 Volume=/var/containers/caddy/data:/data:z
 Volume=/var/log/caddy:/var/log/caddy:z
 Volume=/var/www:/var/www:z
 # Security
 NoNewPrivileges=true
 DropCapability=ALL
 AddCapability=NET_ADMIN NET_BIND_SERVICE
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/copyparty/copyparty.container
+++ b/beeper/etc/containers/systemd/copyparty/copyparty.container
@ -15,6 +15,8 @@ HealthCmd=wget --spider -q 127.0.0.1:3923/?reset=/._
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/ejabberd/ejabberd.container
+++ b/beeper/etc/containers/systemd/ejabberd/ejabberd.container
@ -21,6 +21,8 @@ Volume=/var/containers/ejabberd/config:/opt/ejabberd/conf:ro,Z
 Volume=/var/containers/ejabberd/files:/opt/ejabberd/upload:Z
 Volume=/var/containers/ejabberd/database:/opt/ejabberd/database:Z
 Volume=/etc/certs:/etc/letsencrypt/live:ro,z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/forgejo/forgejo-runner.container
+++ b/beeper/etc/containers/systemd/forgejo/forgejo-runner.container
@ -12,6 +12,8 @@ User=1001:1001
 Exec=/bin/sh -c "sleep 5; forgejo-runner daemon"
 Volume=/var/containers/forgejo/runner/data:/data:Z
 Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/forgejo/forgejo.container
+++ b/beeper/etc/containers/systemd/forgejo/forgejo.container
@ -13,6 +13,8 @@ PublishPort=127.0.0.1:41807:3000
 PublishPort=10429:22
 Timezone=local
 Volume=/var/containers/forgejo/data:/data:Z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/freshrss/freshrss.container
+++ b/beeper/etc/containers/systemd/freshrss/freshrss.container
@ -12,6 +12,8 @@ Network=postgresql.network
 PublishPort=127.0.0.1:27819:80
 Volume=/var/containers/freshrss/data:/var/www/FreshRSS/data:Z
 Volume=/var/containers/freshrss/extensions:/var/www/FreshRSS/extensions:Z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/i2pd/i2pd.container
+++ b/beeper/etc/containers/systemd/i2pd/i2pd.container
@ -7,6 +7,9 @@ ContainerName=i2pd
 AutoUpdate=registry
 Network=host
 Volume=/var/containers/i2pd/data:/home/i2pd/data:Z,U
 # Security
 NoNewPrivileges=true
 DropCapability=ALL
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container
+++ b/beeper/etc/containers/systemd/iceshrimp/iceshrimp.container
@ -12,6 +12,8 @@ Network=postgresql.network
 PublishPort=127.0.0.1:24042:24042
 Volume=/var/containers/iceshrimp/data/media:/data/media:Z
 Volume=/var/containers/iceshrimp/config:/app/config:ro,Z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/knot/knot.container
+++ b/beeper/etc/containers/systemd/knot/knot.container
@ -10,6 +10,8 @@ PublishPort=20564:22
 Volume=/var/containers/knot/keys:/etc/ssh/keys:Z
 Volume=/var/containers/knot/repositories:/home/git/repositories:Z
 Volume=/var/containers/knot/data:/app:Z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mailserver/mailserver.container
+++ b/beeper/etc/containers/systemd/mailserver/mailserver.container
@ -24,6 +24,8 @@ HealthCmd=ss --listening --tcp | grep -P 'LISTEN.+:smtp' || exit 1
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-dfdb.container
@ -17,6 +17,8 @@ HealthCmd=redis-cli ping
 HealthOnFailure=kill
 HealthStartPeriod=10s
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-ingress.container
@ -10,6 +10,8 @@ EnvironmentFile=/etc/containers/systemd/mastodon/.env.secrets
 EnvironmentFile=/etc/containers/systemd/mastodon/.env
 Network=mastodon.network
 Network=postgresql.network
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-sidekiq.container
@ -17,6 +17,8 @@ HealthCmd=ps aux | grep '[s]idekiq\ 8' || false
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-streaming.container
@ -17,6 +17,8 @@ HealthCmd=curl -s --noproxy localhost localhost:4000/api/v1/streaming/health | g
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mastodon/mastodon-web.container
+++ b/beeper/etc/containers/systemd/mastodon/mastodon-web.container
@ -20,6 +20,8 @@ HealthCmd=curl -s --noproxy localhost localhost:3000/health | grep -q 'OK' || ex
 HealthOnFailure=kill
 HealthStartPeriod=1m
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/mollysocket/mollysocket.container
+++ b/beeper/etc/containers/systemd/mollysocket/mollysocket.container
@ -11,6 +11,8 @@ Exec=server
 PublishPort=127.0.0.1:19236:19236
 Volume=/var/containers/mollysocket/data:/data:Z
 WorkingDir=/data
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/pds/pds.container
+++ b/beeper/etc/containers/systemd/pds/pds.container
@ -8,6 +8,9 @@ EnvironmentFile=/etc/containers/systemd/pds/.env.secrets
 EnvironmentFile=/etc/containers/systemd/pds/.env
 PublishPort=127.0.0.1:24318:3000
 Volume=/var/containers/pds/data:/pds:Z
 # Security
 NoNewPrivileges=true
 DropCapability=ALL
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/postgresql/postgresql.container
+++ b/beeper/etc/containers/systemd/postgresql/postgresql.container
@ -14,6 +14,8 @@ HealthCmd=pg_isready -U postgres -d postgres
 HealthOnFailure=kill
 HealthStartPeriod=30s
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/redlib/redlib.container
+++ b/beeper/etc/containers/systemd/redlib/redlib.container
@ -13,6 +13,8 @@ HealthOnFailure=kill
 HealthInterval=5m
 HealthStartPeriod=30s
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container
+++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-backend.container
@ -8,6 +8,8 @@ AutoUpdate=registry
 Environment=PORT=7000
 Environment=URL=https://b.twitch.synth.download
 PublishPort=127.0.0.1:43072:7000
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container
+++ b/beeper/etc/containers/systemd/safetwitch/safetwitch-frontend.container
@ -13,6 +13,8 @@ Environment=SAFETWITCH_HTTPS=true
 Environment=SAFETWITCH_DEFAULT_LOCALE=en
 Environment=SAFETWITCH_FALLBACK_LOCALE=en
 PublishPort=127.0.0.1:24682:8280
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/searxng/searxng-dfdb.container
+++ b/beeper/etc/containers/systemd/searxng/searxng-dfdb.container
@ -15,6 +15,8 @@ HealthInterval=5s
 HealthRetries=20
 Network=searxng.network
 Volume=/var/containers/searxng/dragonfly:/data:Z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/searxng/searxng.container
+++ b/beeper/etc/containers/systemd/searxng/searxng.container
@ -11,6 +11,8 @@ PublishPort=127.0.0.1:48898:8080
 Network=searxng.network
 Volume=/var/containers/searxng/config:/etc/searxng:ro,Z
 Volume=/var/containers/searxng/cache:/var/cache/searxng
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-activity.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-activity.container
@ -18,6 +18,8 @@ PublishPort=127.0.0.1:47815:3002
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/activity:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-api.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-api.container
@ -17,6 +17,8 @@ PublishPort=127.0.0.1:60628:3001
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/api:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-dfdb.container
@ -17,6 +17,8 @@ HealthCmd=redis-cli ping
 HealthOnFailure=kill
 HealthStartPeriod=10s
 Notify=healthy
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-media.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-media.container
@ -18,6 +18,8 @@ PublishPort=127.0.0.1:57378:3003
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/media:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/sharkey/sharkey-worker.container
+++ b/beeper/etc/containers/systemd/sharkey/sharkey-worker.container
@ -15,6 +15,8 @@ Network=postgresql.network
 Volume=/var/containers/sharkey/files:/sharkey/files:z
 Volume=/var/containers/sharkey/worker:/sharkey/.config:z
 Volume=/var/containers/sharkey/default.yml:/sharkey/.config/default.yml:ro,z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/spindle/spindle.container
+++ b/beeper/etc/containers/systemd/spindle/spindle.container
@ -9,6 +9,8 @@ PublishPort=127.0.0.1:40653:6555
 Volume=/var/containers/spindle/logs:/var/log/spindle:Z
 Volume=/var/containers/spindle/data:/app:Z
 Volume=/var/run/dind/docker.sock:/var/run/docker.sock:z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/tor/tor.container
+++ b/beeper/etc/containers/systemd/tor/tor.container
@ -8,6 +8,9 @@ AutoUpdate=registry
 Network=host
 Volume=/var/containers/tor/config:/etc/tor:ro,Z
 Volume=/var/containers/tor/data:/var/lib/tor:Z
 # Security
 NoNewPrivileges=true
 DropCapability=ALL
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container
+++ b/beeper/etc/containers/systemd/vaultwarden/vaultwarden.container
@ -7,6 +7,8 @@ ContainerName=vaultwarden
 EnvironmentFile=/etc/containers/systemd/vaultwarden/.env
 PublishPort=127.0.0.1:60838:80
 Volume=/var/containers/vaultwarden/data:/data:Z
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container
+++ b/beeper/etc/containers/systemd/xpost/xpost-zenfyr.container
@ -5,6 +5,8 @@ Description=zenfyr's XPost
 Image=ghcr.io/zenfyrdev/xpost:latest
 EnvironmentFile=/etc/containers/systemd/xpost/zenfyr.env
 Volume=/var/containers/zenfyr-xpost/data:/app/data:Z,U
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container
+++ b/beeper/etc/containers/systemd/yggdrasil/yggdrasil.container
@ -8,6 +8,9 @@ AutoUpdate=registry
 Exec=-useconffile /etc/yggdrasil/yggdrasil.conf -remote-tcp 22:22 -remote-tcp 80:80 -remote-udp 80:80
 Network=host
 Volume=/var/containers/yggdrasil/config:/etc/yggdrasil:ro,Z
 # Security
 NoNewPrivileges=true
 DropCapability=ALL
 [Service]
 Restart=always
--- a/beeper/etc/containers/systemd/zitadel/zitadel.container
+++ b/beeper/etc/containers/systemd/zitadel/zitadel.container
@ -11,6 +11,8 @@ Network=zitadel.network
 Network=postgresql.network
 PublishPort=127.0.0.1:19241:8080
 Exec=start-from-init --masterkeyFromEnv --tlsMode external
 # Security
 NoNewPrivileges=true
 [Service]
 Restart=always