From e55faec870f6ab31da4e9acc4b1f70ed7cce99a2 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Wed, 30 Aug 2023 17:02:49 +0200
Subject: [PATCH 1/4] add additinaly allowed rules for haproxy

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/haproxy.cfg | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 024983b5..fe3d08b5 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -11,6 +11,8 @@ frontend http
     http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((json)|(start)|(stop)) } METH_GET
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((json)) } METH_GET
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
 
     # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
     acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"

From 5523dfc6ae18e60759d9f085e3f7ba718b9410e2 Mon Sep 17 00:00:00 2001
From: Alexander Piskun <bigcat88@icloud.com>
Date: Thu, 31 Aug 2023 12:03:24 +0300
Subject: [PATCH 2/4] small rules adjustments

---
 Containers/docker-socket-proxy/haproxy.cfg | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index fe3d08b5..13d3faf6 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -9,11 +9,15 @@ frontend http
     mode http
     bind :2375
     http-request deny unless { src 127.0.0.1 } || { src ::1 } || { src NC_IPV4_PLACEHOLDER } || { src NC_IPV6_PLACEHOLDER }
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((json)|(start)|(stop)) } METH_GET
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((json)) } METH_GET
+    # container inspect: GET containers/%s/json
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/json } METH_GET
+    # container start/stop: POST containers/%s/start containers/%s/stop
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+/((start)|(stop)) } METH_POST
+    # container rm: DELETE containers/%s
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/nc_app_[a-zA-Z0-9_.-]+ } METH_DELETE
 
+
+    # container create: POST containers/create?name=%s
     # ACL to restrict container name to nc_app_[a-zA-Z0-9_.-]+
     acl nc_app_container_name url_param(name) -m reg -i "^nc_app_[a-zA-Z0-9_.-]+"
 
@@ -30,10 +34,17 @@ frontend http
     # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
     acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name no_privileged_flag nc_app_volume_data_only METH_POST
+    # end of container create
 
+    # volume create: POST volumes/create
+    # restrict name
     acl nc_app_volume_data req.body -m reg -i "\"Name\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data METH_POST
+    # do not allow to use "device" word e.g., "--opt device=:/path/to/dir"
+    acl volume_no_device req.body -m reg -i "\"device\""
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/create } nc_app_volume_data !volume_no_device METH_POST
+    # volume rm: DELETE volumes/%s
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/volumes/nc_app_[a-zA-Z0-9_.-]+_data } METH_DELETE
+    # image pull: POST images/create?fromImage=%s
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/images/create } METH_POST
     http-request deny
     default_backend dockerbackend

From f0542158de04fe362971465c0b30289fb795a062 Mon Sep 17 00:00:00 2001
From: Simon L <szaimen@e.mail.de>
Date: Thu, 31 Aug 2023 11:33:49 +0200
Subject: [PATCH 3/4] do not allow to set privileged at all

Signed-off-by: Simon L <szaimen@e.mail.de>
---
 Containers/docker-socket-proxy/haproxy.cfg | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index 13d3faf6..fa0df4d3 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -29,8 +29,8 @@ frontend http
     acl type_not_volume req.body -m reg -i "\"Mounts\":\s*\[[^\]]*(\"Type\":\s*\"(?!volume\b)\w+\"[^\]]*)+\]"
     http-request deny if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !one_mount_volume binds_present type_not_volume METH_POST
 
-    # ACL to restrict container creation, that it has HostConfig.Privileged only set to false
-    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\":\s?false"
+    # ACL to restrict container creation, that it has HostConfig.Privileged not set
+    acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"\s*:"
     # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
     acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
     http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name no_privileged_flag nc_app_volume_data_only METH_POST

From 594b3f10e14e065ae2fe104974c088ce6c065203 Mon Sep 17 00:00:00 2001
From: Andrey Borysenko <andrey18106x@gmail.com>
Date: Thu, 31 Aug 2023 12:45:19 +0300
Subject: [PATCH 4/4] use inverted no_privileged_flag

Signed-off-by: Andrey Borysenko <andrey18106x@gmail.com>
---
 Containers/docker-socket-proxy/haproxy.cfg | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Containers/docker-socket-proxy/haproxy.cfg b/Containers/docker-socket-proxy/haproxy.cfg
index fa0df4d3..65c08df4 100644
--- a/Containers/docker-socket-proxy/haproxy.cfg
+++ b/Containers/docker-socket-proxy/haproxy.cfg
@@ -33,7 +33,7 @@ frontend http
     acl no_privileged_flag req.body -m reg -i "\"HostConfig\":\s?{[^}]*\"Privileged\"\s*:"
     # ACL to allow mount volume with strict pattern for name: nc_app_[a-zA-Z0-9_.-]+_data
     acl nc_app_volume_data_only req.body -m reg -i "\"Mounts\":\s?\[\s?{[^}]*\"Source\":\s?\"nc_app_[a-zA-Z0-9_.-]+_data\""
-    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name no_privileged_flag nc_app_volume_data_only METH_POST
+    http-request allow if { path,url_dec -m reg -i ^(/v[\d\.]+)?/containers/create } nc_app_container_name !no_privileged_flag nc_app_volume_data_only METH_POST
     # end of container create
 
     # volume create: POST volumes/create