2024-05-03 12:56:44 -07:00
|
|
|
FROM node:20
|
|
|
|
|
|
2024-05-12 22:06:11 -07:00
|
|
|
# Security: Drop all capabilities
|
|
|
|
|
USER root
|
2024-05-24 01:28:50 -07:00
|
|
|
RUN apt-get update && apt-get install -y libcap2-bin && \
|
|
|
|
|
setcap cap_net_bind_service=+ep /usr/local/bin/node
|
2024-05-12 22:06:11 -07:00
|
|
|
|
2024-05-03 12:56:44 -07:00
|
|
|
WORKDIR /code
|
|
|
|
|
|
|
|
|
|
COPY package*.json ./
|
|
|
|
|
|
|
|
|
|
RUN npm install
|
|
|
|
|
|
|
|
|
|
COPY . .
|
|
|
|
|
|
|
|
|
|
RUN npm run build
|
|
|
|
|
|
2024-05-24 01:28:50 -07:00
|
|
|
RUN useradd -m sboxuser
|
|
|
|
|
RUN mkdir projects && chown -R sboxuser:sboxuser projects
|
2024-05-12 22:06:11 -07:00
|
|
|
|
2024-05-24 01:28:50 -07:00
|
|
|
# todo user namespace mapping
|
2024-05-21 00:57:52 -07:00
|
|
|
|
2024-05-24 01:28:50 -07:00
|
|
|
RUN apt-get install -y firejail
|
2024-05-24 18:18:00 -07:00
|
|
|
# RUN echo "noblacklist /code/projects\nprivate-bin node\nwhitelist /code/projects\n" > /etc/firejail/sboxuser.profile
|
2024-05-24 01:28:50 -07:00
|
|
|
|
2024-05-24 18:18:00 -07:00
|
|
|
# RUN echo '#!/bin/bash\nexec firejail --private=/projects --noprofile node dist/index.js' > /start.sh
|
|
|
|
|
RUN echo '#!/bin/bash\nexec firejail --private=/code/projects --noprofile --net=none --whitelist=/code/projects node dist/index.js' > /start.sh
|
2024-05-24 01:28:50 -07:00
|
|
|
RUN chmod +x /start.sh
|
|
|
|
|
|
|
|
|
|
USER sboxuser
|
|
|
|
|
|
|
|
|
|
EXPOSE 8000
|
2024-05-17 22:23:44 -07:00
|
|
|
EXPOSE 4000
|
2024-05-03 12:56:44 -07:00
|
|
|
|
2024-05-24 01:28:50 -07:00
|
|
|
CMD ["/start.sh"]
|
