From 4f6780ea7de4ca45604ef7c102a58d7dda4268db Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Thu, 15 May 2025 13:58:47 +0200 Subject: [PATCH 1/8] Allow dropping certain capabilities --- starter/runner.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/starter/runner.py b/starter/runner.py index 8d66613..ea8615f 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -49,6 +49,7 @@ TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get( "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600" ) +DROPPED_CAPABILITIES = os.environ.get('PYTHON_RUNNER_DROPPED_CAPABILITIES', []).split(',') OTHER_OPTIONS = os.environ.get("PYTHON_RUNNER_OTHER_OPTIONS", "[]") try: OTHER_OPTIONS = ast.literal_eval(OTHER_OPTIONS) @@ -308,6 +309,8 @@ def run_python(data): command.extend( ["--mount", f"type=tmpfs,dst=/tmp,tmpfs-size={TMPFS_MOUNT_SIZE_IN_BYTES}"] ) + if DROPPED_CAPABILITIES: + command.extend(f'--cap-drop={capability}' for capability in DROPPED_CAPABILITIES) # other options, these options are experimental, may cause failure to start script if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list): for option in OTHER_OPTIONS: From 3dde0fd6f1028028562a43e25dfbdd2616e6f866 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Thu, 15 May 2025 14:02:21 +0200 Subject: [PATCH 2/8] Allow setting "--security-opt no-new-privileges" --- starter/runner.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/starter/runner.py b/starter/runner.py index ea8615f..a90411b 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -50,6 +50,7 @@ "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600" ) DROPPED_CAPABILITIES = os.environ.get('PYTHON_RUNNER_DROPPED_CAPABILITIES', []).split(',') +NO_NEW_PRIVILEGES = os.environ.get('PYTHON_RUNNER_NO_NEW_PRIVILEGES', 'false').lower() == "true" OTHER_OPTIONS = os.environ.get("PYTHON_RUNNER_OTHER_OPTIONS", "[]") try: OTHER_OPTIONS = ast.literal_eval(OTHER_OPTIONS) @@ -311,6 +312,9 @@ def run_python(data): ) if DROPPED_CAPABILITIES: command.extend(f'--cap-drop={capability}' for capability in DROPPED_CAPABILITIES) + if NO_NEW_PRIVILEGES: + # Prevent container from gaining additional privileges + command.append('--security-opt no-new-privileges') # other options, these options are experimental, may cause failure to start script if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list): for option in OTHER_OPTIONS: From 8250e281d91b3533d4e13e0c73546dbf0510cbfa Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Thu, 15 May 2025 14:09:25 +0200 Subject: [PATCH 3/8] Fix code style --- starter/runner.py | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/starter/runner.py b/starter/runner.py index a90411b..c25d7d1 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -49,8 +49,12 @@ TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get( "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600" ) -DROPPED_CAPABILITIES = os.environ.get('PYTHON_RUNNER_DROPPED_CAPABILITIES', []).split(',') -NO_NEW_PRIVILEGES = os.environ.get('PYTHON_RUNNER_NO_NEW_PRIVILEGES', 'false').lower() == "true" +DROPPED_CAPABILITIES = os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", []).split( + "," +) +NO_NEW_PRIVILEGES = ( + os.environ.get("PYTHON_RUNNER_NO_NEW_PRIVILEGES", "false").lower() == "true" +) OTHER_OPTIONS = os.environ.get("PYTHON_RUNNER_OTHER_OPTIONS", "[]") try: OTHER_OPTIONS = ast.literal_eval(OTHER_OPTIONS) @@ -311,10 +315,12 @@ def run_python(data): ["--mount", f"type=tmpfs,dst=/tmp,tmpfs-size={TMPFS_MOUNT_SIZE_IN_BYTES}"] ) if DROPPED_CAPABILITIES: - command.extend(f'--cap-drop={capability}' for capability in DROPPED_CAPABILITIES) + command.extend( + f"--cap-drop={capability}" for capability in DROPPED_CAPABILITIES + ) if NO_NEW_PRIVILEGES: # Prevent container from gaining additional privileges - command.append('--security-opt no-new-privileges') + command.append("--security-opt no-new-privileges") # other options, these options are experimental, may cause failure to start script if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list): for option in OTHER_OPTIONS: From 61140fdb4b03171efd4034c89e91fc774e930574 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Thu, 15 May 2025 15:20:58 +0200 Subject: [PATCH 4/8] Fix default value --- starter/runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/starter/runner.py b/starter/runner.py index c25d7d1..bde7f88 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -49,7 +49,7 @@ TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get( "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600" ) -DROPPED_CAPABILITIES = os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", []).split( +DROPPED_CAPABILITIES = os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", "").split( "," ) NO_NEW_PRIVILEGES = ( From 2e75cab203bfb954e18d483d858d1ba599660bab Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 19 May 2025 17:40:49 +0200 Subject: [PATCH 5/8] Fix handling of PYTHON_RUNNER_DROPPED_CAPABILITIES --- starter/runner.py | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/starter/runner.py b/starter/runner.py index bde7f88..a55c985 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -49,9 +49,10 @@ TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get( "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600" ) -DROPPED_CAPABILITIES = os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", "").split( - "," -) +DROPPED_CAPABILITIES = [ + cap for cap in os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", "").split(",") + if cap.strip() +] NO_NEW_PRIVILEGES = ( os.environ.get("PYTHON_RUNNER_NO_NEW_PRIVILEGES", "false").lower() == "true" ) From fd1dc84cf87acb9e6e91655f45ef960909eb67d6 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 19 May 2025 17:41:54 +0200 Subject: [PATCH 6/8] Fix code style --- starter/runner.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/starter/runner.py b/starter/runner.py index a55c985..ebcadc6 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -50,7 +50,8 @@ "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600" ) DROPPED_CAPABILITIES = [ - cap for cap in os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", "").split(",") + cap + for cap in os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", "").split(",") if cap.strip() ] NO_NEW_PRIVILEGES = ( From 22872231f6f9e644a7aa1c7b88dd4956c65d01b3 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 19 May 2025 18:04:27 +0200 Subject: [PATCH 7/8] Fix option --- starter/runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/starter/runner.py b/starter/runner.py index ebcadc6..9a2df6a 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -322,7 +322,7 @@ def run_python(data): ) if NO_NEW_PRIVILEGES: # Prevent container from gaining additional privileges - command.append("--security-opt no-new-privileges") + command.append('--security-opt="no-new-privileges=true"') # other options, these options are experimental, may cause failure to start script if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list): for option in OTHER_OPTIONS: From f0f60d670e443b7bb984716f24377d0374552b65 Mon Sep 17 00:00:00 2001 From: Simon Hammes Date: Mon, 19 May 2025 18:24:50 +0200 Subject: [PATCH 8/8] Fix options --- starter/runner.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/starter/runner.py b/starter/runner.py index 9a2df6a..b56a8d4 100644 --- a/starter/runner.py +++ b/starter/runner.py @@ -322,7 +322,7 @@ def run_python(data): ) if NO_NEW_PRIVILEGES: # Prevent container from gaining additional privileges - command.append('--security-opt="no-new-privileges=true"') + command.extend(["--security-opt", "no-new-privileges"]) # other options, these options are experimental, may cause failure to start script if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list): for option in OTHER_OPTIONS: