From b2de9860307e3723456e95d1caf110ca73af23ce Mon Sep 17 00:00:00 2001
From: tom doron <tomer@apple.com>
Date: Wed, 29 Jan 2020 15:53:10 -0800
Subject: [PATCH] improve docker security

motivation: more secured ci setup

changes:
* enable :z selinux flag on bind mounts so we can enable selinux on ci
* drop potentially exploitable capabilities from docker-compose
---
 docker/docker-compose.yaml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
index 6c64eb8..38c4d41 100644
--- a/docker/docker-compose.yaml
+++ b/docker/docker-compose.yaml
@@ -16,8 +16,11 @@ services:
     depends_on: [runtime-setup]
     volumes:
       - ~/.ssh:/root/.ssh
-      - ..:/code
+      - ..:/code:z
     working_dir: /code
+    cap_drop:
+      - CAP_NET_RAW
+      - CAP_NET_BIND_SERVICE
 
   sanity:
     <<: *common