improve docker security (#1375)
motivation: more secured ci setup changes: * enable :z selinux flag on bind mounts so we can enable selinux on ci * drop potentially exploitable capabilities from docker-compose
This commit is contained in:
parent
b4483e5c49
commit
25583d5ad8
|
@ -16,8 +16,11 @@ services:
|
|||
depends_on: [runtime-setup]
|
||||
volumes:
|
||||
- ~/.ssh:/root/.ssh
|
||||
- ..:/code
|
||||
- ..:/code:z
|
||||
working_dir: /code
|
||||
cap_drop:
|
||||
- CAP_NET_RAW
|
||||
- CAP_NET_BIND_SERVICE
|
||||
|
||||
sanity:
|
||||
<<: *common
|
||||
|
|
Loading…
Reference in New Issue