Merge branch 'master' into 202308111623_local_endianness

keylime · Aug 11, 2023 · 4f46f43 · 4f46f43
2 parents 64d00ca + 5965a15
commit 4f46f43
Show file tree

Hide file tree

Showing 3 changed files with 9 additions and 0 deletions.
diff --git a/docker/release/Dockerfile.distroless b/docker/release/Dockerfile.distroless
@@ -95,5 +95,8 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
+# Create a system user 'keylime' to allow dropping privileges
+RUN useradd -s /sbin/nologin -r -G tss keylime
+
 # run as root by default
 USER 0:0
diff --git a/docker/release/Dockerfile.fedora b/docker/release/Dockerfile.fedora
@@ -64,5 +64,8 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
+# Create a system user 'keylime' to allow dropping privileges
+RUN useradd -s /sbin/nologin -r -G tss keylime
+
 # run as root by default
 USER 0:0
diff --git a/docker/release/Dockerfile.wolfi b/docker/release/Dockerfile.wolfi
@@ -106,5 +106,8 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
+# Create a system user 'keylime' to allow dropping privileges
+RUN useradd -s /sbin/nologin -r -G tss keylime
+
 # run as root by default
 USER 0:0