From 5965a15cd4f03d7247475466b49a0b2a5e4d0ff6 Mon Sep 17 00:00:00 2001
From: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
Date: Thu, 10 Aug 2023 16:20:23 +0200
Subject: [PATCH] docker: Add 'keylime' system user

This allows dropping privileges inside the container.

Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
---
 docker/release/Dockerfile.distroless | 3 +++
 docker/release/Dockerfile.fedora     | 3 +++
 docker/release/Dockerfile.wolfi      | 3 +++
 3 files changed, 9 insertions(+)

diff --git a/docker/release/Dockerfile.distroless b/docker/release/Dockerfile.distroless
index 576aab2a7..1be9ba528 100644
--- a/docker/release/Dockerfile.distroless
+++ b/docker/release/Dockerfile.distroless
@@ -95,5 +95,8 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
+# Create a system user 'keylime' to allow dropping privileges
+RUN useradd -s /sbin/nologin -r -G tss keylime
+
 # run as root by default
 USER 0:0
diff --git a/docker/release/Dockerfile.fedora b/docker/release/Dockerfile.fedora
index 1a153a286..78fbdbfb9 100644
--- a/docker/release/Dockerfile.fedora
+++ b/docker/release/Dockerfile.fedora
@@ -64,5 +64,8 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
+# Create a system user 'keylime' to allow dropping privileges
+RUN useradd -s /sbin/nologin -r -G tss keylime
+
 # run as root by default
 USER 0:0
diff --git a/docker/release/Dockerfile.wolfi b/docker/release/Dockerfile.wolfi
index 24c9a9884..8ca18c0ea 100644
--- a/docker/release/Dockerfile.wolfi
+++ b/docker/release/Dockerfile.wolfi
@@ -106,5 +106,8 @@ LABEL install="podman volume create keylime-agent"
 LABEL uninstall="podman volume rm keylime-agent"
 LABEL run="podman run --read-only --name keylime-agent --rm --device /dev/tpm0 --device /dev/tpmrm0 -v keylime-agent:/var/lib/keylime -v /etc/keylime:/etc/keylime:ro --tmpfs /var/lib/keylime/secure:rw,size=1m,mode=0700 -dt IMAGE"
 
+# Create a system user 'keylime' to allow dropping privileges
+RUN useradd -s /sbin/nologin -r -G tss keylime
+
 # run as root by default
 USER 0:0