From b8f69ed6e2007814b1c7fa399e0a33b28807b865 Mon Sep 17 00:00:00 2001
From: Bensuperpc <bensuperpc@gmail.com>
Date: Sun, 22 Sep 2024 19:57:33 +0200
Subject: [PATCH] Add more cap_drop

Signed-off-by: Bensuperpc <bensuperpc@gmail.com>
---
 infrastructure/it-tools/docker-compose.it-tools.yml   | 11 +++++++++--
 infrastructure/picoshare/docker-compose.picoshare.yml |  8 +++++---
 .../projectsend/docker-compose.projectsend.yml        |  2 ++
 .../uptime-kuma/docker-compose.uptime-kuma.yml        |  2 ++
 4 files changed, 18 insertions(+), 5 deletions(-)

diff --git a/infrastructure/it-tools/docker-compose.it-tools.yml b/infrastructure/it-tools/docker-compose.it-tools.yml
index c2e7f21..12e914b 100644
--- a/infrastructure/it-tools/docker-compose.it-tools.yml
+++ b/infrastructure/it-tools/docker-compose.it-tools.yml
@@ -10,9 +10,12 @@ services:
       - caddy
     networks:
       - infra-network
+    read_only: false
     security_opt:
       - no-new-privileges:true
-    read_only: false
+    cap_drop:
+      - SYS_ADMIN
+
     deploy:
       resources:
         limits:
@@ -21,6 +24,7 @@ services:
         reservations:
           cpus: '0.001'
           memory: 20M
+
   it-tools1:
     image: corentinth/it-tools:latest
     container_name: it-tools1
@@ -31,9 +35,12 @@ services:
       - caddy
     networks:
       - infra-network
+    read_only: false
     security_opt:
       - no-new-privileges:true
-    read_only: false
+    cap_drop:
+      - SYS_ADMIN
+
     deploy:
       resources:
         limits:
diff --git a/infrastructure/picoshare/docker-compose.picoshare.yml b/infrastructure/picoshare/docker-compose.picoshare.yml
index fc23de1..617f117 100644
--- a/infrastructure/picoshare/docker-compose.picoshare.yml
+++ b/infrastructure/picoshare/docker-compose.picoshare.yml
@@ -16,9 +16,11 @@ services:
       - infra-network
     security_opt:
       - no-new-privileges:true
-    read_only: true
-    tmpfs:
-      - /tmp
+    read_only: false
+    cap_drop:
+      - SYS_ADMIN
+#    tmpfs:
+#      - /tmp
     deploy:
       resources:
         limits:
diff --git a/infrastructure/projectsend/docker-compose.projectsend.yml b/infrastructure/projectsend/docker-compose.projectsend.yml
index a6a6b39..bda7059 100644
--- a/infrastructure/projectsend/docker-compose.projectsend.yml
+++ b/infrastructure/projectsend/docker-compose.projectsend.yml
@@ -18,6 +18,8 @@ services:
       - infra-network
     security_opt:
       - no-new-privileges:true
+    cap_drop:
+      - SYS_ADMIN
 
   # Database projectsend
   projectsend_db:
diff --git a/infrastructure/uptime-kuma/docker-compose.uptime-kuma.yml b/infrastructure/uptime-kuma/docker-compose.uptime-kuma.yml
index d9456b5..9f9575c 100644
--- a/infrastructure/uptime-kuma/docker-compose.uptime-kuma.yml
+++ b/infrastructure/uptime-kuma/docker-compose.uptime-kuma.yml
@@ -14,6 +14,8 @@ services:
       - infra-network
     security_opt:
       - no-new-privileges:true
+    cap_drop:
+      - SYS_ADMIN
 
 volumes:
   uptimekuma_data: