From 2ce3195d35ed1c0cc627f50bf2f9af260a74abcc Mon Sep 17 00:00:00 2001 From: continuist Date: Fri, 5 Sep 2025 18:59:51 -0400 Subject: [PATCH] Security improvements #8 --- .forgejo/workflows/ci.yml | 11 +++++------ podman-host-socket.service | 2 ++ secure_pip_setup.sh | 4 ++-- 3 files changed, 9 insertions(+), 8 deletions(-) diff --git a/.forgejo/workflows/ci.yml b/.forgejo/workflows/ci.yml index ecd75fe..c0bcd83 100644 --- a/.forgejo/workflows/ci.yml +++ b/.forgejo/workflows/ci.yml @@ -16,7 +16,6 @@ env: NODE_IMG_DIGEST: ${{ secrets.NODE_IMG_DIGEST }} # e.g., docker.io/library/node@sha256:... POSTGRES_IMG_DIGEST: ${{ secrets.POSTGRES_IMG_DIGEST }} # e.g., docker.io/library/postgres@sha256:... PODMAN_CLIENT_IMG_DIGEST: ${{ secrets.PODMAN_CLIENT_IMG_DIGEST }} # e.g., quay.io/podman/stable@sha256:... - SELINUX_ZLABEL: "" # set to ":z" if SELinux is enforcing jobs: test-backend: @@ -28,7 +27,7 @@ jobs: run: | for v in RUST_IMG_DIGEST NODE_IMG_DIGEST POSTGRES_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do [ -n "${!v}" ] || { echo "Missing $v"; exit 1; } - echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; } + echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; } done - name: Setup ephemeral PiP container @@ -82,7 +81,7 @@ jobs: run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc ' podman run --rm \ - -v "$WORKSPACE":/workspace${SELINUX_ZLABEL} \ + -v "$WORKSPACE":/workspace \ -w /workspace \ "'"${RUST_IMG_DIGEST}"'" \ sh -c "cargo test --lib -- --test-threads=1"' @@ -95,7 +94,7 @@ jobs: podman exec ci-pip-${{ env.RUN_ID }} sh -lc ' podman run --rm \ --network integ-'"$RUN_ID"' \ - -v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \ + -v "$WORKSPACE":/workspace \ -w /workspace \ -e DATABASE_URL=postgres://testuser:testpassword@test-postgres:5432/testdb \ "'"${RUST_IMG_DIGEST}"'" \ @@ -121,7 +120,7 @@ jobs: run: | for v in NODE_IMG_DIGEST PODMAN_CLIENT_IMG_DIGEST; do [ -n "${!v}" ] || { echo "Missing $v"; exit 1; } - echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}' || { echo "$v must be a digest ref"; exit 1; } + echo "${!v}" | grep -Eq '^.+@sha256:[0-9a-f]{64}$' || { echo "$v must be a digest ref"; exit 1; } done - name: Setup ephemeral PiP container @@ -144,7 +143,7 @@ jobs: run: | podman exec ci-pip-${{ env.RUN_ID }} sh -lc ' podman run --rm \ - -v "$WORKSPACE":/workspace'"${SELINUX_ZLABEL}"' \ + -v "$WORKSPACE":/workspace \ -w /workspace \ "'"${NODE_IMG_DIGEST}"'" \ sh -c "npm ci && npm run test"' diff --git a/podman-host-socket.service b/podman-host-socket.service index e3e1dfc..2ce4ae8 100644 --- a/podman-host-socket.service +++ b/podman-host-socket.service @@ -5,6 +5,8 @@ After=default.target [Service] Type=simple Environment="XDG_RUNTIME_DIR=/run/user/%U" +UMask=007 +NoNewPrivileges=yes ExecStartPre=/usr/bin/mkdir -p ${XDG_RUNTIME_DIR}/podman-host ExecStartPre=/usr/bin/chmod 770 ${XDG_RUNTIME_DIR}/podman-host ExecStart=/usr/bin/podman system service --time=0 unix://${XDG_RUNTIME_DIR}/podman-host/podman.sock diff --git a/secure_pip_setup.sh b/secure_pip_setup.sh index b572e6c..d6137f6 100755 --- a/secure_pip_setup.sh +++ b/secure_pip_setup.sh @@ -40,8 +40,8 @@ podman run -d \ --network=none \ --tmpfs /run:rw,size=64M \ --tmpfs /tmp:rw,size=256M \ - -v "${SOCKET_PATH}:/var/run/podman.sock${SELINUX_ZLABEL:-}" \ - -v "${WORKSPACE}:/workspace:rw${SELINUX_ZLABEL:-}" \ + -v "${SOCKET_PATH}:/var/run/podman.sock" \ + -v "${WORKSPACE}:/workspace:rw" \ -e CONTAINER_HOST="unix:///var/run/podman.sock" \ "${PODMAN_CLIENT_IMG_DIGEST}" \ sleep infinity