hardening - add no-new-privileges

Dockerfile

@@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY lua/ /opt/lua
+COPY lua/ /usr/local/lib/lua
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-amd64

@@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY lua/ /opt/lua
+COPY lua/ /usr/local/lib/lua
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-arm32v7

@@ -21,7 +21,7 @@ RUN chmod +x /tmp/dependencies.sh && \
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY lua/ /opt/lua
+COPY lua/ /usr/local/lib/lua
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-arm64v8

@@ -21,7 +21,7 @@ RUN chmod +x /tmp/dependencies.sh && \
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY lua/ /opt/lua
+COPY lua/ /usr/local/lib/lua
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

Dockerfile-i386

@@ -14,7 +14,7 @@ RUN chmod +x /tmp/dependencies.sh && \
 COPY entrypoint/ /opt/entrypoint
 COPY confs/ /opt/confs
 COPY scripts/ /opt/scripts
-COPY lua/ /opt/lua
+COPY lua/ /usr/local/lib/lua
 
 COPY prepare.sh /tmp/prepare.sh
 RUN chmod +x /tmp/prepare.sh && \

docs/security_tuning.md

@@ -220,6 +220,13 @@ By default, *bunkerized-nginx* runs as non-root user inside the container and sh
 docker run ... --drop-cap=all ... bunkerity/bunkerized-nginx
 ```
 
+### No new privileges
+Bunkerized-nginx should never tries to gain additional privileges through setuid/setgid executables. You can safely add the **no-new-privileges** [security configuration](https://docs.docker.com/engine/reference/run/#security-configuration) when creating the container :
+
+```shell
+docker run ... --security-opt no-new-privileges ... bunkerity/bunkerized-nginx
+```
+
 ### User namespace remap
 Another hardening trick is [user namespace remapping](https://docs.docker.com/engine/security/userns-remap/) : it allows you to map the UID/GID of users inside a container to another UID/GID on the host. For example, you can map the user nginx with UID/GID 101 inside the container to a non-existent user with UID/GID 100101 on the host.
 
@@ -235,3 +242,4 @@ $ chown root:100101 /path/to/letsencrypt
 $ chmod 770 /path/to/letsencrypt
 $ docker run ... -v /path/to/letsencrypt:/etc/letsencrypt ... bunkerity/bunkerized-nginx
 ```
+

examples/hardened/docker-compose.yml

@@ -7,11 +7,9 @@ services:
     # dropping all capabilities
     cap_drop:
       - ALL
-    # root fs as RO
+    # disable setuid/setgid
-    read_only: true
+    security_opt:
-    # mandatory directories as RW
+      - no-new-privileges
-    tmpfs:
-      - /tmp:mode=770,uid=0,gid=101
     restart: always
     ports:
       - 80:8080

prepare.sh

@@ -1,8 +1,5 @@
 #!/bin/sh
 
-# custom entrypoint
-mkdir /opt/entrypoint.d
-
 # prepare /www
 mkdir /www
 chown -R root:nginx /www
@@ -55,7 +52,6 @@ chmod 770 /var/lib/letsencrypt
 # prepare /usr/local/lib/lua
 chown -R root:nginx /usr/local/lib/lua
 chmod 770 /usr/local/lib/lua
-find /usr/local/lib/lua -type f -name "*.conf" -exec chmod 0760 {} \;
 find /usr/local/lib/lua -type f -name "*.lua" -exec chmod 0760 {} \;
 find /usr/local/lib/lua -type d -exec chmod 0770 {} \;