From bf6b1d17eb1d1b2d286d40da7b07c58880572cc2 Mon Sep 17 00:00:00 2001
From: Laszlo Kiraly <laszlo.kiraly@est.tech>
Date: Thu, 21 Jul 2022 12:19:15 +0200
Subject: [PATCH] Add capabilities and create user to enable security hardening
 (#6826)

Signed-off-by: Laszlo Kiraly <laszlo.kiraly@est.tech>
---
 Dockerfile | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index a4546dc1..486b83e3 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -28,6 +28,13 @@ WORKDIR /build/internal/tests/
 CMD dlv -l :40000 --headless=true --api-version=2 test -test.v .
 
 FROM ghcr.io/edwarnicke/govpp/vpp:${VPP_VERSION} as runtime
+ARG user=nsm-user
+ARG group=nsm-user
+ARG uid=10001
+ARG gid=10001
+RUN groupadd -g ${gid} ${user} && useradd -g ${gid} -l -M -u ${uid} ${user}
 COPY --from=build /bin/forwarder /bin/forwarder
+RUN setcap cap_dac_override,cap_sys_admin,cap_net_admin=eip /bin/forwarder
+RUN setcap cap_ipc_lock,cap_net_raw,cap_sys_ptrace,cap_dac_override,cap_sys_admin,cap_net_admin,cap_setgid=eip /usr/bin/vpp
 COPY --from=build /bin/grpc-health-probe /bin/grpc-health-probe
 ENTRYPOINT [ "/bin/forwarder" ]