From 1d3c0f13a3883d990ab1c0551059f6f1d5135876 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sa=C3=BAl=20Ibarra=20Corretg=C3=A9?= <saghul@jitsi.org>
Date: Thu, 30 May 2024 19:07:35 +0200
Subject: [PATCH] jibri: fail to start if the SYS_ADMIN cap is missing (#1816)

The container will refuse to start and provide some useful information
to the user:

```
docker-jitsi-meet-jibri-1    | cap[cap_sys_admin] not permitted
docker-jitsi-meet-jibri-1    | Required capability SYS_ADMIN is missing
docker-jitsi-meet-jibri-1    | [cont-init.d] 10-config: exited 1.
docker-jitsi-meet-jibri-1    | [cont-finish.d] executing container finish scripts...
docker-jitsi-meet-jibri-1    | [cont-finish.d] done.
docker-jitsi-meet-jibri-1    | [s6-finish] waiting for services.
```
---
 jibri/Dockerfile                       | 15 ++++++++++++++-
 jibri/rootfs/etc/cont-init.d/10-config |  6 ++++++
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/jibri/Dockerfile b/jibri/Dockerfile
index 2e90d22..4bab2ae 100644
--- a/jibri/Dockerfile
+++ b/jibri/Dockerfile
@@ -16,7 +16,20 @@ ARG CHROME_RELEASE=121.0.6167.85
 COPY rootfs/ /
 
 RUN apt-dpkg-wrap apt-get update && \
-    apt-dpkg-wrap apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" jibri libgl1-mesa-dri procps jitsi-upload-integrations jitsi-autoscaler-sidecar jq pulseaudio dbus dbus-x11 rtkit unzip fonts-noto && \
+    apt-dpkg-wrap apt-get install -y -o Dpkg::Options::="--force-confdef" -o Dpkg::Options::="--force-confold" \
+        jibri \
+        libgl1-mesa-dri \
+        procps \
+        jitsi-upload-integrations \
+        jitsi-autoscaler-sidecar \
+        jq \
+        pulseaudio \
+        dbus \
+        dbus-x11 \
+        rtkit \
+        unzip \
+        fonts-noto \
+        libcap2-bin && \
     /usr/bin/install-chrome.sh && \
     apt-cleanup && \
     adduser jibri rtkit && \
diff --git a/jibri/rootfs/etc/cont-init.d/10-config b/jibri/rootfs/etc/cont-init.d/10-config
index 7f9a0ce..d1ea95c 100644
--- a/jibri/rootfs/etc/cont-init.d/10-config
+++ b/jibri/rootfs/etc/cont-init.d/10-config
@@ -1,5 +1,11 @@
 #!/usr/bin/with-contenv bash
 
+# Check if the SYS_ADMIN cap is set
+if ! capsh --has-p=cap_sys_admin; then
+    echo "Required capability SYS_ADMIN is missing"
+    exit 1
+fi
+
 # Check if /dev/shm is large enough (2GB at least)
 if ! shm-check; then
     echo "/dev/shm must be at least 2GB in size"