Skip to content

Commit cb47c96

Browse files
DjaytanDjaytan
authored
test: drop all Linux kernel capabilities (#89)
1 parent b524782 commit cb47c96

File tree

2 files changed

+14
-3
lines changed

2 files changed

+14
-3
lines changed

src/localdev.sh

Lines changed: 8 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,11 @@
11
#!/usr/bin/env sh
2-
# TODO: OWASP RULE#3 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-3-limit-capabilities-grant-only-specific-capabilities-needed-by-a-container
32
# TODO: OWASP RULE#4 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-4-prevent-in-container-privilege-escalation
43
# TODO: OWASP RULE#7 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts
54
# TODO: Same OWASP rules in test.sh file
65
# TODO: document security recommendations adapted to this project
76
# TODO: document requirements for OWASP RULE#8 https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-7-limit-resources-memory-cpu-file-descriptors-processes-restarts
87
# TODO: try OWASP RULE#8 here
8+
# TODO: move at root of the project
99

1010
set -eu
1111

@@ -19,5 +19,11 @@ docker buildx bake --progress=plain dev
1919
echo '✅ Image built successfully.'
2020

2121
echo '▶️ Starting the localdev PaperMC server...'
22-
docker run --rm -it -p 25565:25565/tcp -p 25565:25565/udp -e EULA=true 'djaytan/papermc-server:dev'
22+
23+
docker run --rm -it \
24+
--cap-drop all \
25+
-p 25565:25565/tcp -p 25565:25565/udp \
26+
-e EULA=true \
27+
'djaytan/papermc-server:dev'
28+
2329
echo '🛑 The localdev PaperMC server has been stopped and removed.'

src/test/docker/test.sh

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,12 @@ CONTAINER_NAME='test-papermc-server'
88
echo '📋 Testing the Docker PaperMC server image...'
99

1010
echo '▶️ Starting the PaperMC server in background...'
11-
docker run --rm -d --name "$CONTAINER_NAME" -e EULA=true 'djaytan/papermc-server:dev'
11+
12+
docker run --rm -d --name "$CONTAINER_NAME" \
13+
--cap-drop all \
14+
-p 25565:25565/tcp -p 25565:25565/udp \
15+
-e EULA=true \
16+
'djaytan/papermc-server:dev'
1217

1318
cleanup() {
1419
echo '🛑 Automatically stopping and removing the PaperMC server container...'

0 commit comments

Comments
 (0)