patches on sxsw ai working api key working container hardened plus many more

This commit is contained in:
Dorian
2026-03-12 22:19:04 +00:00
parent 73e0a1b74d
commit 5e6aaa74aa
14 changed files with 625 additions and 46 deletions

View File

@@ -1234,8 +1234,23 @@ fn get_app_capabilities(app_id: &str) -> Vec<String> {
"--cap-add=SETGID".to_string(),
"--cap-add=NET_BIND_SERVICE".to_string(),
],
// Bitcoin and Lightning need file ownership ops
// Bitcoin and Lightning need file ownership ops + DAC_OVERRIDE for data dir access
"bitcoin" | "bitcoin-core" | "bitcoin-knots" | "lnd" | "fedimint" | "fedimint-gateway" => vec![
"--cap-add=CHOWN".to_string(),
"--cap-add=FOWNER".to_string(),
"--cap-add=SETUID".to_string(),
"--cap-add=SETGID".to_string(),
"--cap-add=DAC_OVERRIDE".to_string(),
],
// Vaultwarden needs file ownership + NET_BIND_SERVICE (binds port 80 internally)
"vaultwarden" => vec![
"--cap-add=CHOWN".to_string(),
"--cap-add=SETUID".to_string(),
"--cap-add=SETGID".to_string(),
"--cap-add=NET_BIND_SERVICE".to_string(),
],
// PhotoPrism uses s6-overlay which needs privilege ops
"photoprism" => vec![
"--cap-add=CHOWN".to_string(),
"--cap-add=SETUID".to_string(),
"--cap-add=SETGID".to_string(),
@@ -1246,7 +1261,14 @@ fn get_app_capabilities(app_id: &str) -> Vec<String> {
"--cap-add=SETUID".to_string(),
"--cap-add=SETGID".to_string(),
],
// Minimal apps (searxng, filebrowser, uptime-kuma, etc.) need no extra caps
// Uptime-kuma startup script needs chown/fowner for /app/data ownership
"uptime-kuma" => vec![
"--cap-add=CHOWN".to_string(),
"--cap-add=FOWNER".to_string(),
"--cap-add=SETUID".to_string(),
"--cap-add=SETGID".to_string(),
],
// Minimal apps (searxng, filebrowser, etc.) need no extra caps
_ => vec![],
}
}
@@ -1258,10 +1280,7 @@ fn is_readonly_compatible(app_id: &str) -> bool {
app_id,
"searxng"
| "grafana"
| "uptime-kuma"
| "filebrowser"
| "photoprism"
| "vaultwarden"
| "mempool-electrs"
| "electrs"
| "nostr-rs-relay"