Secure capabilities

2024-02-10 15:39:35 +01:00 · 2024-02-10 15:39:35 +01:00 · 57adc3efbd
parent 5390c9c7a2
commit 57adc3efbd
2 changed files with 8 additions and 12 deletions
--- a/roles/apps/templates/compose-files/caddy.yml.j2
+++ b/roles/apps/templates/compose-files/caddy.yml.j2
@ -19,10 +19,9 @@ services:
      - "./data/caddy-config:/config:rw"
      - "./data/caddy-data:/data:rw"
    cap_add:
-      - net_bind_service
-      - dac_override
+      - NET_BIND_SERVICE
    cap_drop:
-      - all
+      - ALL

 networks:
  {{ apps_shared_docker_network }}:
--- a/roles/apps/templates/compose-files/searxng.yml.j2
+++ b/roles/apps/templates/compose-files/searxng.yml.j2
@ -11,11 +11,10 @@ services:
    volumes:
      - "./data/redis:/data:rw"
    cap_add:
-      - dac_override
-      - setuid
-      - setgid
+      - SETUID
+      - SETGID
    cap_drop:
-      - all
+      - ALL

  app:
    image: searxng/searxng:{{ apps_vars.searxng.version }}
@ -30,12 +29,10 @@ services:
    volumes:
      - "./data/settings.yml:/etc/searxng/settings.yml:ro"
    cap_add:
-      - chown
-      - dac_override
-      - setuid
-      - setgid
+      - SETUID
+      - SETGID
    cap_drop:
-      - all
+      - ALL
    depends_on:
      - redis