From cc6f03d27b47c194e7222f11c0e99e37e77b7cfb Mon Sep 17 00:00:00 2001 From: CaffeineFueled Date: Fri, 2 May 2025 18:13:59 +0200 Subject: [PATCH 1/2] ADD read-only flag to run script and ADD gitignore to source dir --- run_container.sh | 3 ++- source/.gitignore | 4 ++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 source/.gitignore diff --git a/run_container.sh b/run_container.sh index 5a11df3..8fc342c 100755 --- a/run_container.sh +++ b/run_container.sh @@ -46,6 +46,7 @@ echo "Starting container..." $CONTAINER_CMD run --name ${CONTAINER_NAME} \ -p 8000:8000 \ -v "$SOURCE_DIR":/home/appuser/app/source${VOLUME_FLAG} \ + --read-only \ --security-opt no-new-privileges:true \ --cap-drop ALL \ --user 1000:1000 \ @@ -66,4 +67,4 @@ if [ $? -eq 0 ]; then else echo "Failed to start container." exit 1 -fi \ No newline at end of file +fi diff --git a/source/.gitignore b/source/.gitignore new file mode 100644 index 0000000..5e7d273 --- /dev/null +++ b/source/.gitignore @@ -0,0 +1,4 @@ +# Ignore everything in this directory +* +# Except this file +!.gitignore From 36eed976f2de7d251237819a00131ab46b278555 Mon Sep 17 00:00:00 2001 From: CaffeineFueled Date: Tue, 6 May 2025 23:42:49 +0200 Subject: [PATCH 2/2] ADD container isolation with nftables --- run_container.sh | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/run_container.sh b/run_container.sh index 8fc342c..933d2ca 100755 --- a/run_container.sh +++ b/run_container.sh @@ -44,7 +44,7 @@ fi # Run the container echo "Starting container..." $CONTAINER_CMD run --name ${CONTAINER_NAME} \ - -p 8000:8000 \ + -p 127.0.0.1:8000:8000 \ -v "$SOURCE_DIR":/home/appuser/app/source${VOLUME_FLAG} \ --read-only \ --security-opt no-new-privileges:true \ @@ -52,6 +52,14 @@ $CONTAINER_CMD run --name ${CONTAINER_NAME} \ --user 1000:1000 \ -d ${CONTAINER_NAME}:latest + +echo $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') + +sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n nft add table inet filter +sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n nft add chain inet filter output { type filter hook output priority 0 \; policy drop \; } +sudo nsenter -t $(podman inspect ${CONTAINER_NAME} --format '{{.State.Pid}}') -n \ + nft add rule inet filter output oif lo accept + # Check if container started successfully if [ $? -eq 0 ]; then echo "Container started successfully!"