Merge pull request #97 from linuxserver/harden-kali

add new container env vars and hardening setup kali

Author: thelamer

Dockerfile

@@ -16,24 +16,29 @@ RUN \
     https://github.com/selkies-project/selkies.git \
     /src && \
   cd /src && \
-  git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
+  git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
 
 RUN \
-  echo "**** build frontend ****" && \
-  cd /src && \
-  cd addons/gst-web-core && \
-  npm install && \
-  npm run build && \
-  cp dist/selkies-core.js ../selkies-dashboard/src && \
-  cd ../selkies-dashboard && \
+  echo "**** build shared core library ****" && \
+  cd /src/addons/gst-web-core && \
   npm install && \
   npm run build && \
-  mkdir dist/src dist/nginx && \
-  cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
-  cp ../gst-web-core/nginx/* dist/nginx/ && \
-  cp -r ../gst-web-core/dist/jsdb dist/ && \
+  echo "**** build multiple dashboards ****" && \
+  DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
   mkdir /buildout && \
-  cp -ar dist/* /buildout/
+  for DASH in $DASHBOARDS; do \
+    cd /src/addons/$DASH && \
+    cp ../gst-web-core/dist/selkies-core.js src/ && \
+    npm install && \
+    npm run build && \
+    mkdir -p dist/src dist/nginx && \
+    cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
+    cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
+    cp ../gst-web-core/nginx/* dist/nginx/ && \
+    cp -r ../gst-web-core/dist/jsdb dist/ && \
+    mkdir -p /buildout/$DASH && \
+    cp -ar dist/* /buildout/$DASH/; \
+  done
 
 # Runtime stage
 FROM ghcr.io/linuxserver/baseimage-debian:kali
@@ -175,7 +180,7 @@ RUN \
     | awk '/tag_name/{print $4;exit}' FS='[""]') && \
   curl -o \
     /tmp/selkies.tar.gz -L \
-    "https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
+    "https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
   cd /tmp && \
   tar xf selkies.tar.gz && \
   cd selkies-* && \
@@ -218,6 +223,9 @@ RUN \
     -e 's|</keyboard>|  <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
     -e 's|<number>4</number>|<number>1</number>|' \
     /etc/xdg/openbox/rc.xml && \
+  sed -i \
+    's/--startup/--replace --startup/g' \
+    /usr/bin/openbox-session && \
   echo "**** user perms ****" && \
   sed -e 's/%sudo	ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \
     -i /etc/sudoers && \
@@ -262,7 +270,7 @@ RUN \
 
 # add local files
 COPY /root /
-COPY --from=frontend /buildout /usr/share/selkies/www
+COPY --from=frontend /buildout /usr/share/selkies
 COPY --from=xvfb / /
 
 # ports and volumes

Dockerfile.aarch64

@@ -16,24 +16,29 @@ RUN \
     https://github.com/selkies-project/selkies.git \
     /src && \
   cd /src && \
-  git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
+  git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
 
 RUN \
-  echo "**** build frontend ****" && \
-  cd /src && \
-  cd addons/gst-web-core && \
-  npm install && \
-  npm run build && \
-  cp dist/selkies-core.js ../selkies-dashboard/src && \
-  cd ../selkies-dashboard && \
+  echo "**** build shared core library ****" && \
+  cd /src/addons/gst-web-core && \
   npm install && \
   npm run build && \
-  mkdir dist/src dist/nginx && \
-  cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
-  cp ../gst-web-core/nginx/* dist/nginx/ && \
-  cp -r ../gst-web-core/dist/jsdb dist/ && \
+  echo "**** build multiple dashboards ****" && \
+  DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
   mkdir /buildout && \
-  cp -ar dist/* /buildout/
+  for DASH in $DASHBOARDS; do \
+    cd /src/addons/$DASH && \
+    cp ../gst-web-core/dist/selkies-core.js src/ && \
+    npm install && \
+    npm run build && \
+    mkdir -p dist/src dist/nginx && \
+    cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
+    cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
+    cp ../gst-web-core/nginx/* dist/nginx/ && \
+    cp -r ../gst-web-core/dist/jsdb dist/ && \
+    mkdir -p /buildout/$DASH && \
+    cp -ar dist/* /buildout/$DASH/; \
+  done
 
 # Runtime stage
 FROM ghcr.io/linuxserver/baseimage-debian:arm64v8-kali
@@ -173,7 +178,7 @@ RUN \
     | awk '/tag_name/{print $4;exit}' FS='[""]') && \
   curl -o \
     /tmp/selkies.tar.gz -L \
-    "https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
+    "https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
   cd /tmp && \
   tar xf selkies.tar.gz && \
   cd selkies-* && \
@@ -216,6 +221,9 @@ RUN \
     -e 's|</keyboard>|  <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
     -e 's|<number>4</number>|<number>1</number>|' \
     /etc/xdg/openbox/rc.xml && \
+  sed -i \
+    's/--startup/--replace --startup/g' \
+    /usr/bin/openbox-session && \
   echo "**** user perms ****" && \
   sed -e 's/%sudo	ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \
     -i /etc/sudoers && \
@@ -260,7 +268,7 @@ RUN \
 
 # add local files
 COPY /root /
-COPY --from=frontend /buildout /usr/share/selkies/www
+COPY --from=frontend /buildout /usr/share/selkies
 COPY --from=xvfb / /
 
 # ports and volumes

root/defaults/default.conf

@@ -4,7 +4,7 @@ server {
   listen 3000 default_server;
   listen [::]:3000 default_server;
   location SUBFOLDER {
-    alias /usr/share/selkies/www/;
+    alias /usr/share/selkies/web/;
     index  index.html index.htm;
     try_files $uri $uri/ =404;
   }
@@ -42,11 +42,15 @@ server {
     fancyindex on;
     fancyindex_footer SUBFOLDERnginx/footer.html;
     fancyindex_header SUBFOLDERnginx/header.html;
-    alias REPLACE_HOME/Desktop/;
+    alias REPLACE_DOWNLOADS_PATH/;
+    if (-f $request_filename) {
+        add_header Content-Disposition "attachment";
+        add_header X-Content-Type-Options "nosniff";
+    }
   }
   error_page 500 502 503 504 /50x.html;
   location = SUBFOLDER50x.html {
-    root /usr/share/selkies/www/;
+    root /usr/share/selkies/web/;
   }
 }
 
@@ -58,7 +62,7 @@ server {
   ssl_certificate           /config/ssl/cert.pem;
   ssl_certificate_key       /config/ssl/cert.key;
   location SUBFOLDER {
-    alias /usr/share/selkies/www/;
+    alias /usr/share/selkies/web/;
     index  index.html index.htm;
     try_files $uri $uri/ =404;
   }
@@ -96,12 +100,14 @@ server {
     fancyindex on;
     fancyindex_footer SUBFOLDERnginx/footer.html;
     fancyindex_header SUBFOLDERnginx/header.html;
-    alias REPLACE_HOME/Desktop/;
+    alias REPLACE_DOWNLOADS_PATH/;
+    if (-f $request_filename) {
+        add_header Content-Disposition "attachment";
+        add_header X-Content-Type-Options "nosniff";
+    }
   } 
   error_page 500 502 503 504 /50x.html;
   location = SUBFOLDER50x.html {
-    root /usr/share/selkies/www/;
+    root /usr/share/selkies/web/;
   }
 }
-
-

root/etc/s6-overlay/s6-rc.d/init-nginx/run

@@ -9,6 +9,10 @@ CHPORT="${CUSTOM_HTTPS_PORT:-3001}"
 CWS="${CUSTOM_WS_PORT:-8082}"
 CUSER="${CUSTOM_USER:-abc}"
 SFOLDER="${SUBFOLDER:-/}"
+FILE_MANAGER_PATH="${FILE_MANAGER_PATH:-$HOME/Desktop}"
+DASHBOARD="${DASHBOARD:-selkies-dashboard}"
+SELKIES_FILE_TRANSFERS="${SELKIES_FILE_TRANSFERS:-upload,download}"
+HARDEN_DESKTOP="${HARDEN_DESKTOP:-false}"
 
 # create self signed cert
 if [ ! -f "/config/ssl/cert.pem" ]; then
@@ -28,8 +32,11 @@ sed -i "s/3000/$CPORT/g" ${NGINX_CONFIG}
 sed -i "s/3001/$CHPORT/g" ${NGINX_CONFIG}
 sed -i "s/CWS/$CWS/g" ${NGINX_CONFIG}
 sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG}
-sed -i "s|REPLACE_HOME|$HOME|g" ${NGINX_CONFIG}
-s6-setuidgid abc mkdir -p $HOME/Desktop
+sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG}
+s6-setuidgid abc mkdir -p ${FILE_MANAGER_PATH}
+if [[ $SELKIES_FILE_TRANSFERS != *"download"* ]] || [[ ${HARDEN_DESKTOP,,} == "true" ]]; then
+  sed -i '/files {/,/^  }/d' ${NGINX_CONFIG}
+fi
 if [ ! -z ${DISABLE_IPV6+x} ]; then
   sed -i '/listen \[::\]/d' ${NGINX_CONFIG}
 fi
@@ -44,7 +51,34 @@ if [ ! -z ${DEV_MODE+x} ]; then
     ${NGINX_CONFIG}
 fi
 
-# copy favicon
+# set dashboard and icon
+rm -Rf \
+  /usr/share/selkies/web
+cp -a \
+  /usr/share/selkies/$DASHBOARD \
+  /usr/share/selkies/web
+sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/web/nginx/footer.html
+cp \
+  /usr/share/selkies/www/icon.png \
+  /usr/share/selkies/web/favicon.ico
 cp \
   /usr/share/selkies/www/icon.png \
-  /usr/share/selkies/www/favicon.ico
+  /usr/share/selkies/web/icon.png
+# manifest creation
+echo "{
+  \"name\": \"${TITLE}\",
+  \"short_name\": \"${TITLE}\",
+  \"manifest_version\": 2,
+  \"version\": \"1.0.0\",
+  \"display\": \"fullscreen\",
+  \"background_color\": \"#000000\",
+  \"theme_color\": \"#000000\",
+  \"icons\": [
+    {
+      \"src\": \"icon.png\",
+      \"type\": \"image/png\",
+      \"sizes\": \"180x180\"
+    }
+  ],
+  \"start_url\": \"/\"
+}" > /usr/share/selkies/web/manifest.json