From 05c1333ebb8ff1c7863ff00edb9348c42e15c024 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julian-Samuel=20Geb=C3=BChr?= <julian-samuel@gebuehr.net>
Date: Sat, 9 Jul 2022 13:44:41 +0200
Subject: [PATCH] Restrict permissions of container

---
 .../templates/systemd/matrix-bot-maubot.service.j2            | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/roles/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2 b/roles/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
index cde18e4dc..b01139d2d 100644
--- a/roles/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
+++ b/roles/matrix-bot-maubot/templates/systemd/matrix-bot-maubot.service.j2
@@ -18,9 +18,9 @@ ExecStartPre=-{{ matrix_host_command_sh }} -c '{{ matrix_host_command_docker }}
 
 ExecStart={{ matrix_host_command_docker }} run --rm --name matrix-bot-maubot \
             --log-driver=none \
-            -e UID={{ matrix_user_uid }} \
-            -e GID={{ matrix_user_gid }} \
+			--user={{ matrix_user_uid }}:{{ matrix_user_gid }} \
             --read-only \
+            --cap-drop=ALL \
             -v {{ matrix_bot_maubot_data_path }}:/data:z \
             {% for arg in matrix_bot_maubot_container_extra_arguments %}
             {{ arg }} \