Merge pull request #93 from linuxserver/harden-bookworm

add new container env vars and hardening setup bookworm

Author: thelamer

Dockerfile

@@ -16,24 +16,29 @@ RUN \
     https://github.com/selkies-project/selkies.git \
     /src && \
   cd /src && \
-  git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
+  git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
 
 RUN \
-  echo "**** build frontend ****" && \
-  cd /src && \
-  cd addons/gst-web-core && \
-  npm install && \
-  npm run build && \
-  cp dist/selkies-core.js ../selkies-dashboard/src && \
-  cd ../selkies-dashboard && \
+  echo "**** build shared core library ****" && \
+  cd /src/addons/gst-web-core && \
   npm install && \
   npm run build && \
-  mkdir dist/src dist/nginx && \
-  cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
-  cp ../gst-web-core/nginx/* dist/nginx/ && \
-  cp -r ../gst-web-core/dist/jsdb dist/ && \
+  echo "**** build multiple dashboards ****" && \
+  DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
   mkdir /buildout && \
-  cp -ar dist/* /buildout/
+  for DASH in $DASHBOARDS; do \
+    cd /src/addons/$DASH && \
+    cp ../gst-web-core/dist/selkies-core.js src/ && \
+    npm install && \
+    npm run build && \
+    mkdir -p dist/src dist/nginx && \
+    cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
+    cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
+    cp ../gst-web-core/nginx/* dist/nginx/ && \
+    cp -r ../gst-web-core/dist/jsdb dist/ && \
+    mkdir -p /buildout/$DASH && \
+    cp -ar dist/* /buildout/$DASH/; \
+  done
 
 # Runtime stage
 FROM ghcr.io/linuxserver/baseimage-debian:bookworm
@@ -184,7 +189,7 @@ RUN \
     | awk '/tag_name/{print $4;exit}' FS='[""]') && \
   curl -o \
     /tmp/selkies.tar.gz -L \
-    "https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
+    "https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
   cd /tmp && \
   tar xf selkies.tar.gz && \
   cd selkies-* && \
@@ -226,6 +231,9 @@ RUN \
     -e 's|</keyboard>|  <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
     -e 's|<number>4</number>|<number>1</number>|' \
     /etc/xdg/openbox/rc.xml && \
+  sed -i \
+    's/--startup/--replace --startup/g' \
+    /usr/bin/openbox-session && \
   echo "**** user perms ****" && \
   sed -e 's/%sudo	ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \
     -i /etc/sudoers && \
@@ -270,7 +278,7 @@ RUN \
 
 # add local files
 COPY /root /
-COPY --from=frontend /buildout /usr/share/selkies/www
+COPY --from=frontend /buildout /usr/share/selkies
 COPY --from=xvfb / /
 
 # ports and volumes

Dockerfile.aarch64

@@ -16,24 +16,29 @@ RUN \
     https://github.com/selkies-project/selkies.git \
     /src && \
   cd /src && \
-  git checkout -f 89e39cf7d58c8f7c87ac5922b56b84f745ddeeab
+  git checkout -f 29466e687d2dbed57f657e47b69fab217a81ef1f
 
 RUN \
-  echo "**** build frontend ****" && \
-  cd /src && \
-  cd addons/gst-web-core && \
-  npm install && \
-  npm run build && \
-  cp dist/selkies-core.js ../selkies-dashboard/src && \
-  cd ../selkies-dashboard && \
+  echo "**** build shared core library ****" && \
+  cd /src/addons/gst-web-core && \
   npm install && \
   npm run build && \
-  mkdir dist/src dist/nginx && \
-  cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
-  cp ../gst-web-core/nginx/* dist/nginx/ && \
-  cp -r ../gst-web-core/dist/jsdb dist/ && \
+  echo "**** build multiple dashboards ****" && \
+  DASHBOARDS="selkies-dashboard selkies-dashboard-zinc selkies-dashboard-wish" && \
   mkdir /buildout && \
-  cp -ar dist/* /buildout/
+  for DASH in $DASHBOARDS; do \
+    cd /src/addons/$DASH && \
+    cp ../gst-web-core/dist/selkies-core.js src/ && \
+    npm install && \
+    npm run build && \
+    mkdir -p dist/src dist/nginx && \
+    cp ../gst-web-core/dist/selkies-core.js dist/src/ && \
+    cp ../universal-touch-gamepad/universalTouchGamepad.js dist/src/ && \
+    cp ../gst-web-core/nginx/* dist/nginx/ && \
+    cp -r ../gst-web-core/dist/jsdb dist/ && \
+    mkdir -p /buildout/$DASH && \
+    cp -ar dist/* /buildout/$DASH/; \
+  done
 
 # Runtime stage
 FROM ghcr.io/linuxserver/baseimage-debian:arm64v8-bookworm
@@ -182,7 +187,7 @@ RUN \
     | awk '/tag_name/{print $4;exit}' FS='[""]') && \
   curl -o \
     /tmp/selkies.tar.gz -L \
-    "https://github.com/selkies-project/selkies/archive/89e39cf7d58c8f7c87ac5922b56b84f745ddeeab.tar.gz" && \
+    "https://github.com/selkies-project/selkies/archive/29466e687d2dbed57f657e47b69fab217a81ef1f.tar.gz" && \
   cd /tmp && \
   tar xf selkies.tar.gz && \
   cd selkies-* && \
@@ -224,6 +229,9 @@ RUN \
     -e 's|</keyboard>|  <keybind key="C-S-d"><action name="ToggleDecorations"/></keybind>\n</keyboard>|' \
     -e 's|<number>4</number>|<number>1</number>|' \
     /etc/xdg/openbox/rc.xml && \
+  sed -i \
+    's/--startup/--replace --startup/g' \
+    /usr/bin/openbox-session && \
   echo "**** user perms ****" && \
   sed -e 's/%sudo	ALL=(ALL:ALL) ALL/%sudo ALL=(ALL:ALL) NOPASSWD: ALL/g' \
     -i /etc/sudoers && \
@@ -268,7 +276,7 @@ RUN \
 
 # add local files
 COPY /root /
-COPY --from=frontend /buildout /usr/share/selkies/www
+COPY --from=frontend /buildout /usr/share/selkies
 COPY --from=xvfb / /
 
 # ports and volumes

README.md

@@ -34,23 +34,51 @@ All application settings are passed via environment variables:
 | CUSTOM_USER | HTTP Basic auth username, abc is default. |
 | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth |
 | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` |
-| TITLE | The page title displayed on the web browser, default "Selkies - webrtc". |
+| TITLE | The page title displayed on the web browser, default "Selkies". |
+| DASHBOARD | Allows the user to set their dashboard. Options: `selkies-dashboard`, `selkies-dashboard-zinc`, `selkies-dashboard-wish`. |
+| FILE_MANAGER_PATH | Modifies the default upload/download file path, path must have proper permissions for abc user. |
 | START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. |
 | DISABLE_IPV6 | If set to true or any value this will disable IPv6 |
 | LC_ALL | Set the Language for the container to run as IE `fr_FR.UTF-8` `ar_AE.UTF-8` |
 | NO_DECOR | If set the application will run without window borders for use as a PWA. (Decor can be enabled and disabled with Ctrl+Shift+d) |
 | NO_FULL | Do not autmatically fullscreen applications when using openbox. |
 | DISABLE_ZINK | Do not set the Zink environment variables if a video card is detected (userspace applications will use CPU rendering) |
+| MAX_RES | Pass a larger maximum resolution for the container default is 16k `15360x8640` |
 | WATERMARK_PNG | Full path inside the container to a watermark png IE `/usr/share/selkies/www/icon.png` |
 | WATERMARK_LOCATION | Where to paint the image over the stream integer options below |
-| MAX_RES | Pass a larger maximum resolution for the container default is 16k `15360x8640` |
 
-* 1 - Top Left
-* 2 - Top Right
-* 3 - Bottom Left
-* 4 - Bottom Right
-* 5 - Centered
-* 6 - Animated
+**`WATERMARK_LOCATION` Options:**
+- **1**: Top Left
+- **2**: Top Right
+- **3**: Bottom Left
+- **4**: Bottom Right
+- **5**: Centered
+- **6**: Animated
+
+## Hardening
+
+These variables can be used to lock down the desktop environment for single-application use cases or to restrict user capabilities.
+
+### Meta Variables
+
+These variables act as presets, enabling multiple hardening options at once. Individual options can still be set to override the preset.
+
+| Variable | Description |
+| :----: | --- |
+| **`HARDEN_DESKTOP`** | Enables `DISABLE_OPEN_TOOLS`, `DISABLE_SUDO`, and `DISABLE_TERMINALS`. Also sets related Selkies UI settings (`SELKIES_FILE_TRANSFERS`, `SELKIES_COMMAND_ENABLED`, `SELKIES_UI_SIDEBAR_SHOW_FILES`, `SELKIES_UI_SIDEBAR_SHOW_APPS`) if they are not explicitly set by the user. |
+| **`HARDEN_OPENBOX`** | Enables `DISABLE_CLOSE_BUTTON`, `DISABLE_MOUSE_BUTTONS`, and `HARDEN_KEYBINDS`. It also flags `RESTART_APP` if not set by the user, ensuring the primary application is automatically restarted if closed. |
+
+### Individual Hardening Variables
+
+| Variable | Description |
+| :--- | --- |
+| **`DISABLE_OPEN_TOOLS`** | If true, disables `xdg-open` and `exo-open` binaries by removing their execute permissions. |
+| **`DISABLE_SUDO`** | If true, disables the `sudo` command by removing its execute permissions and invalidating the passwordless sudo configuration. |
+| **`DISABLE_TERMINALS`** | If true, disables common terminal emulators by removing their execute permissions and hiding them from the Openbox right-click menu. |
+| **`DISABLE_CLOSE_BUTTON`** | If true, removes the close button from window title bars in the Openbox window manager. |
+| **`DISABLE_MOUSE_BUTTONS`** | If true, disables the right-click and middle-click context menus and actions within the Openbox window manager. |
+| **`HARDEN_KEYBINDS`** | If true, disables default Openbox keybinds that can bypass other hardening options (e.g., `Alt+F4` to close windows, `Alt+Escape` to show the root menu). |
+| **`RESTART_APP`** | If true, enables a watchdog service that automatically restarts the main application if it is closed. The user's autostart script is made read-only and root owned to prevent tampering. |
 
 ## Selkies application settings
 
@@ -334,7 +362,7 @@ services:
           devices:
             - driver: nvidia
               count: 1
-              capabilities: [compute,video,graphics,utility]
+              capabilities: [gpu]
 ```
 
 # Development

readme-vars.yml

@@ -38,23 +38,51 @@ full_custom_readme: |
   | CUSTOM_USER | HTTP Basic auth username, abc is default. |
   | PASSWORD | HTTP Basic auth password, abc is default. If unset there will be no auth |
   | SUBFOLDER | Subfolder for the application if running a subfolder reverse proxy, need both slashes IE `/subfolder/` |
-  | TITLE | The page title displayed on the web browser, default "Selkies - webrtc". |
+  | TITLE | The page title displayed on the web browser, default "Selkies". |
+  | DASHBOARD | Allows the user to set their dashboard. Options: `selkies-dashboard`, `selkies-dashboard-zinc`, `selkies-dashboard-wish`. |
+  | FILE_MANAGER_PATH | Modifies the default upload/download file path, path must have proper permissions for abc user. |
   | START_DOCKER | If set to false a container with privilege will not automatically start the DinD Docker setup. |
   | DISABLE_IPV6 | If set to true or any value this will disable IPv6 |
   | LC_ALL | Set the Language for the container to run as IE `fr_FR.UTF-8` `ar_AE.UTF-8` |
   | NO_DECOR | If set the application will run without window borders for use as a PWA. (Decor can be enabled and disabled with Ctrl+Shift+d) |
   | NO_FULL | Do not autmatically fullscreen applications when using openbox. |
   | DISABLE_ZINK | Do not set the Zink environment variables if a video card is detected (userspace applications will use CPU rendering) |
+  | MAX_RES | Pass a larger maximum resolution for the container default is 16k `15360x8640` |
   | WATERMARK_PNG | Full path inside the container to a watermark png IE `/usr/share/selkies/www/icon.png` |
   | WATERMARK_LOCATION | Where to paint the image over the stream integer options below |
-  | MAX_RES | Pass a larger maximum resolution for the container default is 16k `15360x8640` |
 
-  * 1 - Top Left
-  * 2 - Top Right
-  * 3 - Bottom Left
-  * 4 - Bottom Right
-  * 5 - Centered
-  * 6 - Animated
+  **`WATERMARK_LOCATION` Options:**
+  - **1**: Top Left
+  - **2**: Top Right
+  - **3**: Bottom Left
+  - **4**: Bottom Right
+  - **5**: Centered
+  - **6**: Animated
+
+  ## Hardening
+
+  These variables can be used to lock down the desktop environment for single-application use cases or to restrict user capabilities.
+
+  ### Meta Variables
+
+  These variables act as presets, enabling multiple hardening options at once. Individual options can still be set to override the preset.
+
+  | Variable | Description |
+  | :----: | --- |
+  | **`HARDEN_DESKTOP`** | Enables `DISABLE_OPEN_TOOLS`, `DISABLE_SUDO`, and `DISABLE_TERMINALS`. Also sets related Selkies UI settings (`SELKIES_FILE_TRANSFERS`, `SELKIES_COMMAND_ENABLED`, `SELKIES_UI_SIDEBAR_SHOW_FILES`, `SELKIES_UI_SIDEBAR_SHOW_APPS`) if they are not explicitly set by the user. |
+  | **`HARDEN_OPENBOX`** | Enables `DISABLE_CLOSE_BUTTON`, `DISABLE_MOUSE_BUTTONS`, and `HARDEN_KEYBINDS`. It also flags `RESTART_APP` if not set by the user, ensuring the primary application is automatically restarted if closed. |
+
+  ### Individual Hardening Variables
+
+  | Variable | Description |
+  | :--- | --- |
+  | **`DISABLE_OPEN_TOOLS`** | If true, disables `xdg-open` and `exo-open` binaries by removing their execute permissions. |
+  | **`DISABLE_SUDO`** | If true, disables the `sudo` command by removing its execute permissions and invalidating the passwordless sudo configuration. |
+  | **`DISABLE_TERMINALS`** | If true, disables common terminal emulators by removing their execute permissions and hiding them from the Openbox right-click menu. |
+  | **`DISABLE_CLOSE_BUTTON`** | If true, removes the close button from window title bars in the Openbox window manager. |
+  | **`DISABLE_MOUSE_BUTTONS`** | If true, disables the right-click and middle-click context menus and actions within the Openbox window manager. |
+  | **`HARDEN_KEYBINDS`** | If true, disables default Openbox keybinds that can bypass other hardening options (e.g., `Alt+F4` to close windows, `Alt+Escape` to show the root menu). |
+  | **`RESTART_APP`** | If true, enables a watchdog service that automatically restarts the main application if it is closed. The user's autostart script is made read-only and root owned to prevent tampering. |
 
   ## Selkies application settings
 
@@ -338,7 +366,7 @@ full_custom_readme: |
             devices:
               - driver: nvidia
                 count: 1
-                capabilities: [compute,video,graphics,utility]
+                capabilities: [gpu]
   ```
   
   # Development

root/defaults/default.conf

@@ -4,7 +4,7 @@ server {
   listen 3000 default_server;
   listen [::]:3000 default_server;
   location SUBFOLDER {
-    alias /usr/share/selkies/www/;
+    alias /usr/share/selkies/web/;
     index  index.html index.htm;
     try_files $uri $uri/ =404;
   }
@@ -42,11 +42,15 @@ server {
     fancyindex on;
     fancyindex_footer SUBFOLDERnginx/footer.html;
     fancyindex_header SUBFOLDERnginx/header.html;
-    alias REPLACE_HOME/Desktop/;
+    alias REPLACE_DOWNLOADS_PATH/;
+    if (-f $request_filename) {
+        add_header Content-Disposition "attachment";
+        add_header X-Content-Type-Options "nosniff";
+    }
   }
   error_page 500 502 503 504 /50x.html;
   location = SUBFOLDER50x.html {
-    root /usr/share/selkies/www/;
+    root /usr/share/selkies/web/;
   }
 }
 
@@ -58,7 +62,7 @@ server {
   ssl_certificate           /config/ssl/cert.pem;
   ssl_certificate_key       /config/ssl/cert.key;
   location SUBFOLDER {
-    alias /usr/share/selkies/www/;
+    alias /usr/share/selkies/web/;
     index  index.html index.htm;
     try_files $uri $uri/ =404;
   }
@@ -96,12 +100,14 @@ server {
     fancyindex on;
     fancyindex_footer SUBFOLDERnginx/footer.html;
     fancyindex_header SUBFOLDERnginx/header.html;
-    alias REPLACE_HOME/Desktop/;
+    alias REPLACE_DOWNLOADS_PATH/;
+    if (-f $request_filename) {
+        add_header Content-Disposition "attachment";
+        add_header X-Content-Type-Options "nosniff";
+    }
   } 
   error_page 500 502 503 504 /50x.html;
   location = SUBFOLDER50x.html {
-    root /usr/share/selkies/www/;
+    root /usr/share/selkies/web/;
   }
 }
-
-

root/etc/s6-overlay/s6-rc.d/init-nginx/run

@@ -9,6 +9,10 @@ CHPORT="${CUSTOM_HTTPS_PORT:-3001}"
 CWS="${CUSTOM_WS_PORT:-8082}"
 CUSER="${CUSTOM_USER:-abc}"
 SFOLDER="${SUBFOLDER:-/}"
+FILE_MANAGER_PATH="${FILE_MANAGER_PATH:-$HOME/Desktop}"
+DASHBOARD="${DASHBOARD:-selkies-dashboard}"
+SELKIES_FILE_TRANSFERS="${SELKIES_FILE_TRANSFERS:-upload,download}"
+HARDEN_DESKTOP="${HARDEN_DESKTOP:-false}"
 
 # create self signed cert
 if [ ! -f "/config/ssl/cert.pem" ]; then
@@ -28,8 +32,11 @@ sed -i "s/3000/$CPORT/g" ${NGINX_CONFIG}
 sed -i "s/3001/$CHPORT/g" ${NGINX_CONFIG}
 sed -i "s/CWS/$CWS/g" ${NGINX_CONFIG}
 sed -i "s|SUBFOLDER|$SFOLDER|g" ${NGINX_CONFIG}
-sed -i "s|REPLACE_HOME|$HOME|g" ${NGINX_CONFIG}
-s6-setuidgid abc mkdir -p $HOME/Desktop
+sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" ${NGINX_CONFIG}
+s6-setuidgid abc mkdir -p ${FILE_MANAGER_PATH}
+if [[ $SELKIES_FILE_TRANSFERS != *"download"* ]] || [[ ${HARDEN_DESKTOP,,} == "true" ]]; then
+  sed -i '/files {/,/^  }/d' ${NGINX_CONFIG}
+fi
 if [ ! -z ${DISABLE_IPV6+x} ]; then
   sed -i '/listen \[::\]/d' ${NGINX_CONFIG}
 fi
@@ -44,7 +51,34 @@ if [ ! -z ${DEV_MODE+x} ]; then
     ${NGINX_CONFIG}
 fi
 
-# copy favicon
+# set dashboard and icon
+rm -Rf \
+  /usr/share/selkies/web
+cp -a \
+  /usr/share/selkies/$DASHBOARD \
+  /usr/share/selkies/web
+sed -i "s|REPLACE_DOWNLOADS_PATH|$FILE_MANAGER_PATH|g" /usr/share/selkies/web/nginx/footer.html
+cp \
+  /usr/share/selkies/www/icon.png \
+  /usr/share/selkies/web/favicon.ico
 cp \
   /usr/share/selkies/www/icon.png \
-  /usr/share/selkies/www/favicon.ico
+  /usr/share/selkies/web/icon.png
+# manifest creation
+echo "{
+  \"name\": \"${TITLE}\",
+  \"short_name\": \"${TITLE}\",
+  \"manifest_version\": 2,
+  \"version\": \"1.0.0\",
+  \"display\": \"fullscreen\",
+  \"background_color\": \"#000000\",
+  \"theme_color\": \"#000000\",
+  \"icons\": [
+    {
+      \"src\": \"icon.png\",
+      \"type\": \"image/png\",
+      \"sizes\": \"180x180\"
+    }
+  ],
+  \"start_url\": \"/\"
+}" > /usr/share/selkies/web/manifest.json