ver4a/oci-builder
1
0
Fork 0
Code Activity Actions

Refactor file capabilities
All checks were successful
/ Test oci-builder (push) Successful in 55s
Details
/ Release oci-builder (push) Successful in 2s
Details
/ Build oci-builder (push) Successful in 1m5s
Details

Browse source 
Adding capabilities after removing capabilities is more robust and makes
logically more sense, the reverse order was confusing.

This also allows dropping the exception from removal.
This commit is contained in:
ver4a 2025-04-17 01:45:42 +02:00
parent 31ac3096dc
commit 37483da0f5
1 changed files with 3 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

6
Dockerfile
View file

@ -24,11 +24,11 @@ RUN mkdir /builder /builder/.config && chown -R 65534:65534 /builder
# This works around https://github.com/redhat-actions/podman-login/pull/43, until this PR is merged at least
RUN mkdir /builder/.docker && chown -R 65534:65534 /builder/.docker
RUN setcap cap_setuid=ep /usr/bin/newuidmap cap_setgid=ep /usr/bin/newgidmap
RUN find / -mindepth 1 -path /proc -prune -or -path /sys -prune -or -path /dev -prune -or -type f -perm /6000 -exec sh -c "chmod ug-s '{}' && echo \"Removed setuid/setgid bit(s) from '{}'\"" \;
RUN getcap -r / | awk '{ print $1 }' | grep -vE '/usr/bin/new[ug]idmap' | xargs -I '{}' sh -c "setcap -r '{}' && echo \"Removed file capability bit(s) from '{}'\""
RUN getcap -r / | awk '{ print $1 }' | xargs -I '{}' sh -c "setcap -r '{}' && echo \"Removed file capability bit(s) from '{}'\""
RUN setcap cap_setuid=ep /usr/bin/newuidmap cap_setgid=ep /usr/bin/newgidmap
RUN shopt -s dotglob && rm -rf /var/cache/* /tmp/* /var/tmp/*