Allow dropping capabilities + prevent additional capabilities (#81)

* Allow dropping certain capabilities

* Allow setting "--security-opt no-new-privileges"

* Fix code style

* Fix default value

* Fix handling of PYTHON_RUNNER_DROPPED_CAPABILITIES

* Fix code style

* Fix option

* Fix options

---------

Co-authored-by: Simon Hammes <[email protected]>

Author: simonhammes

starter/runner.py

@@ -49,6 +49,14 @@
 TMPFS_MOUNT_SIZE_IN_BYTES = os.environ.get(
     "PYTHON_RUNNER_TMPFS_MOUNT_SIZE_IN_BYTES", "104857600"
 )
+DROPPED_CAPABILITIES = [
+    cap
+    for cap in os.environ.get("PYTHON_RUNNER_DROPPED_CAPABILITIES", "").split(",")
+    if cap.strip()
+]
+NO_NEW_PRIVILEGES = (
+    os.environ.get("PYTHON_RUNNER_NO_NEW_PRIVILEGES", "false").lower() == "true"
+)
 OTHER_OPTIONS = os.environ.get("PYTHON_RUNNER_OTHER_OPTIONS", "[]")
 try:
     OTHER_OPTIONS = ast.literal_eval(OTHER_OPTIONS)
@@ -308,6 +316,13 @@ def run_python(data):
         command.extend(
             ["--mount", f"type=tmpfs,dst=/tmp,tmpfs-size={TMPFS_MOUNT_SIZE_IN_BYTES}"]
         )
+    if DROPPED_CAPABILITIES:
+        command.extend(
+            f"--cap-drop={capability}" for capability in DROPPED_CAPABILITIES
+        )
+    if NO_NEW_PRIVILEGES:
+        # Prevent container from gaining additional privileges
+        command.extend(["--security-opt", "no-new-privileges"])
     # other options, these options are experimental, may cause failure to start script
     if OTHER_OPTIONS and isinstance(OTHER_OPTIONS, list):
         for option in OTHER_OPTIONS: