mhofman · January 20, 2019 04:32
diff --git a/Dockerfile b/Dockerfile
 FROM alpine:edge

 COPY files /
 ARG DNSMASQ_UID=100
 ARG DNSMASQ_GID=101
 ARG user=dnsmasq
 ARG capabilities=cap_net_raw,cap_net_bind_service
 # Because Synology is dumb
 ENV DNSMASQ_UID="${DNSMASQ_UID}"
 ENV DNSMASQ_GID="${DNSMASQ_GID}"
 ENV user="${user}"
 ENV capabilities="${capabilities}"

 RUN addgroup -g $DNSMASQ_GID -S $user
 RUN adduser -u $DNSMASQ_UID -S -D -H -h /dev/null -s /sbin/nologin -G $user -g $user $user

 RUN apk --no-cache add dnsmasq libcap
 EXPOSE 53 53/udp

 ENTRYPOINT ["/entrypoint.sh", "dnsmasq", "-k"]
diff --git a/entrypoint.sh b/entrypoint.sh
 #!/bin/sh

 # Output syslog to stdout
 #syslogd -O /proc/1/fd/1

 case "$user" in
    "0"|"root"|"") exec $*;;
    # exec will never return so only other values execute below
 esac

 dnsmasq_capabilities_allowed="cap_net_raw,cap_net_bind_service,cap_net_admin"
 /usr/sbin/setcap ${dnsmasq_capabilities_allowed}=ie /usr/sbin/dnsmasq

 #Make sure the capabilities are separated by comma with no spaces
 capabilities=$(echo ${capabilities:-"cap_net_bind_service"} | sed -e 's/,/ /g' -e 's/[ \t]\+/,/g')

 echo Starting \"$*\" as user \"$user\" with inherited capabilities "$capabilities"

 # 1. Keep permitted, requested + temp capabilities when setuid
 # 2. Setuid to user/group
 # 3. Make sure requested capabilities can be inherited and enable setpcap capability
 # 4. Drop bound capabilities 
 exec /usr/sbin/capsh --keep=1 --caps="${capabilities}+p cap_setgid,cap_setuid,cap_setpcap+ep" --user=$user --caps="${capabilities}+i cap_setpcap+ep" --drop="all" -- $*
diff --git a/files-bin-bash b/files-bin-bash
 #!/bin/sh

 # special "bash" called by capsh which will actually execute the parameters or invoke the shell if nothing provided
 exec ${*:-/bin/sh}
diff --git a/files-etc-dnsmasq.conf b/files-etc-dnsmasq.conf
 listen-address=192.168.1.1
 bind-interfaces

 # Not needed since setuid before launch
 #user=dnsmasq
 #group=dnsmasq

 dhcp-broadcast # avoid ARP injection when lack of NET_ADMIN capability
 no-ping # ICMP requires NET_RAW capability
	FROM alpine:edge

	COPY files /
	ARG DNSMASQ_UID=100
	ARG DNSMASQ_GID=101
	ARG user=dnsmasq
	ARG capabilities=cap_net_raw,cap_net_bind_service
	# Because Synology is dumb
	ENV DNSMASQ_UID="${DNSMASQ_UID}"
	ENV DNSMASQ_GID="${DNSMASQ_GID}"
	ENV user="${user}"
	ENV capabilities="${capabilities}"

	RUN addgroup -g $DNSMASQ_GID -S $user
	RUN adduser -u $DNSMASQ_UID -S -D -H -h /dev/null -s /sbin/nologin -G $user -g $user $user

	RUN apk --no-cache add dnsmasq libcap
	EXPOSE 53 53/udp

	ENTRYPOINT ["/entrypoint.sh", "dnsmasq", "-k"]
	#!/bin/sh

	# Output syslog to stdout
	#syslogd -O /proc/1/fd/1

	case "$user" in
	"0"\|"root"\|"") exec $*;;
	# exec will never return so only other values execute below
	esac

	dnsmasq_capabilities_allowed="cap_net_raw,cap_net_bind_service,cap_net_admin"
	/usr/sbin/setcap ${dnsmasq_capabilities_allowed}=ie /usr/sbin/dnsmasq

	#Make sure the capabilities are separated by comma with no spaces
	capabilities=$(echo ${capabilities:-"cap_net_bind_service"} \| sed -e 's/,/ /g' -e 's/[ \t]\+/,/g')

	echo Starting \"$*\" as user \"$user\" with inherited capabilities "$capabilities"

	# 1. Keep permitted, requested + temp capabilities when setuid
	# 2. Setuid to user/group
	# 3. Make sure requested capabilities can be inherited and enable setpcap capability
	# 4. Drop bound capabilities
	exec /usr/sbin/capsh --keep=1 --caps="${capabilities}+p cap_setgid,cap_setuid,cap_setpcap+ep" --user=$user --caps="${capabilities}+i cap_setpcap+ep" --drop="all" -- $*
	#!/bin/sh

	# special "bash" called by capsh which will actually execute the parameters or invoke the shell if nothing provided
	exec ${*:-/bin/sh}
	listen-address=192.168.1.1
	bind-interfaces

	# Not needed since setuid before launch
	#user=dnsmasq
	#group=dnsmasq

	dhcp-broadcast # avoid ARP injection when lack of NET_ADMIN capability
	no-ping # ICMP requires NET_RAW capability