From f0542158de04fe362971465c0b30289fb795a062 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Thu, 31 Aug 2023 11:33:49 +0200
Subject: [PATCH] do not allow to set privileged at all

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/haproxy.cfg | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 13d3faf6..fa0df4d3 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -29,8 +29,8 @@ frontend http
     acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
 
-    # ACL to restrict container creation, that it has HostConfig.Privileged only set to false
-    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\":\s?false"
+    # ACL to restrict container creation, that it has HostConfig.Privileged not set
+    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"\s*:"
     # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
     acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name no_privileged_flag nc_app_volume_data_only METH_POST