mirror of
https://github.com/nextcloud/all-in-one.git
synced 2025-09-11 09:05:56 +08:00
more strict rules for the container creation
Signed-off-by: Oleksander Piskun <oleksandr2088@icloud.com>
This commit is contained in:
Oleksander Piskun
parent
91e99dcba9
commit
348a08a720
1 changed files with 6 additions and 6 deletions
|
|
@ -13,7 +13,7 @@ frontend http
|
|||
bind :::2375 v4v6
|
||||
http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
|
||||
# docker system _ping
|
||||
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping } METH_GET
|
||||
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/_ping$ } METH_GET
|
||||
# container inspect: GET containers/%s/json
|
||||
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
|
||||
# container inspect: GET containers/%s/logs
|
||||
|
|
@ -38,19 +38,19 @@ frontend http
|
|||
# ACL to deny if there are any binds
|
||||
acl binds_present req.body -m reg -i "\"HostConfig\"\s*:.*\"Binds\"\s*:"
|
||||
# ACL to restrict the type of Mounts to volume
|
||||
acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
|
||||
acl type_not_volume req.body -m reg -i "\"Mounts\"\s*:\s*\[[^\]]*(\"Type\"\s*:\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
|
||||
http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
|
||||
|
||||
# ACL to restrict container creation, that it has HostConfig.Privileged not set
|
||||
acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\""
|
||||
# ACL to restrict container creation, that it has HostConfig.Privileged(by searching for "Privileged" word in all payload)
|
||||
acl no_privileged_flag req.body -m reg -i "\"Privileged\""
|
||||
# ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
|
||||
acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
|
||||
acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\"\s*:\s*\[\s*{[^}]*\"Source\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
|
||||
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
|
||||
# end of container create
|
||||
|
||||
# volume create: POST volumes/create
|
||||
# restrict name
|
||||
acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
|
||||
acl nc_app_volume_data req.body -m reg -i "\"Name\"\s*:\s*\"nc_app_[a-zA-Z0-9_.-]+_data\""
|
||||
# do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
|
||||
acl volume_no_device req.body -m reg -i "\"device\""
|
||||
http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue