From 8f09769fddc602ce5e84d3cb4614c9ea0a26261d Mon Sep 17 00:00:00 2001 From: Christopher Bunn Date: Mon, 10 Jul 2017 20:10:39 -0700 Subject: [PATCH] systemd: reduce container privilege by whitelisting NET_ADMIN capability --- init/docker-openvpn@.service | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/init/docker-openvpn@.service b/init/docker-openvpn@.service index a5e0b00..35bb9c6 100644 --- a/init/docker-openvpn@.service +++ b/init/docker-openvpn@.service @@ -64,7 +64,7 @@ ExecStartPre=-/usr/bin/docker pull $IMG ExecStartPre=/bin/sh -c 'test -z "$IP6_PREFIX" && exit 0; sysctl net.ipv6.conf.all.forwarding=1' # Main process -ExecStart=/usr/bin/docker run --rm --privileged -v ${DATA_VOL}:/etc/openvpn --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS +ExecStart=/usr/bin/docker run --rm --cap-add=NET_ADMIN -v ${DATA_VOL}:/etc/openvpn --name ${NAME} -p ${PORT} ${IMG} ovpn_run $ARGS # IPv6: Add static route for IPv6 after it starts up ExecStartPost=/bin/sh -c 'test -z "${IP6_PREFIX}" && exit 0; sleep 1; ip route replace ${IP6_PREFIX} via $(docker inspect -f "{{ .NetworkSettings.GlobalIPv6Address }}" $NAME ) dev docker0'