From aa0705dd6c18cf1547e540de809ca99e1e8bb41b Mon Sep 17 00:00:00 2001
From: Tommy <contact@tommytran.io>
Date: Sun, 11 Sep 2022 16:27:22 -0400
Subject: [PATCH] Drop capabilities

Signed-off-by: Tommy <contact@tommytran.io>
---
 docker-compose.yml | 20 ++++++++++++++++++++
 1 file changed, 20 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index da2b6df..6fd5e66 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -26,6 +26,10 @@ services:
       - postgres
     networks:
       - matrix
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
 
   postgres:
     image: docker.io/postgres:alpine
@@ -49,6 +53,14 @@ services:
       - ./element-config.json:/app/config.json:Z
     networks:
       - matrix
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    cap_add:
+      - CHOWN
+      - SETGID
+      - SETUID
 
   swag:
     image: ghcr.io/linuxserver/swag
@@ -83,6 +95,10 @@ services:
       - synapse
     networks:
       - matrix
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
 
   mjolnir:
     image: matrixdotorg/mjolnir:latest
@@ -94,6 +110,10 @@ services:
       - pantalaimon
     networks:
       - matrix
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
 
 networks:
   matrix: