Find a way to not need `CAP_SYS_ADMIN`

dgtlmoon / sockpuppetbrowser

A scalable server for providing Chrome interfaces where needed

Apache License 2.0

33 stars 7 forks source link

Closed dgtlmoon closed 9 months ago

dgtlmoon commented 9 months ago

CAP_SYS_ADMIN is too powerful

dgtlmoon commented 9 months ago

resolved with seccomp

robinvalk commented 2 weeks ago

Could some more information be shared on how to limit the container's required privileges? What profile do you use?

In the changedetection-io docker-compose file the SYS_ADMIN capabilities are still listed. That seems a bit excessive.