Address coderabbit-discoverd issues

2025-12-07 09:36:05 -08:00 · 2025-11-01 18:18:32 +00:00
parent 79887f0bd7
commit 70373b1fbd
8 changed files with 136 additions and 198 deletions
--- a/install/production-filesystem/entrypoint.d/0-storage-permission.sh
+++ b/install/production-filesystem/entrypoint.d/0-storage-permission.sh
@@ -51,13 +51,13 @@ EOF
    >&2 printf "%s" "${RESET}"

    # Set ownership to netalertx user for all read-write paths
-    chown -R netalertx ${READ_WRITE_PATHS}
+    chown -R netalertx ${READ_WRITE_PATHS} 2>/dev/null || true

    # Set directory and file permissions for all read-write paths
-    find ${READ_WRITE_PATHS} -type d -exec chmod u+rwx {} + 2>/dev/null
-    find ${READ_WRITE_PATHS} -type f -exec chmod u+rw {} + 2>/dev/null
+    find ${READ_WRITE_PATHS} -type d -exec chmod u+rwx {}
+    find ${READ_WRITE_PATHS} -type f -exec chmod u+rw {}
    echo Permissions fixed for read-write paths. Please restart the container as user 20211.
-    sleep infinity & wait $!; exit 211
+    sleep infinity & wait $!
 fi


--- a/install/production-filesystem/entrypoint.d/80-host-mode-network.sh
+++ b/install/production-filesystem/entrypoint.d/80-host-mode-network.sh
@@ -46,8 +46,8 @@ fi

 YELLOW=$(printf '\033[1;33m')
 RESET=$(printf '\033[0m')
-printf "%s" "${YELLOW}"
-cat <<EOF
+>&2 printf "%s" "${YELLOW}"
+>&2 cat <<EOF
 ══════════════════════════════════════════════════════════════════════════════
 ⚠️  ATTENTION: NetAlertX is not running with --network=host.

@@ -62,5 +62,5 @@ cat <<EOF
    https://github.com/jokob-sk/NetAlertX/blob/main/docs/docker-troubleshooting/network-mode.md
 ══════════════════════════════════════════════════════════════════════════════
 EOF
-printf "%s" "${RESET}"
+>&2 printf "%s" "${RESET}"
 exit 0
--- a/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh
+++ b/install/production-filesystem/entrypoint.d/90-excessive-capabilities.sh
@@ -1,12 +1,17 @@
 #!/bin/bash
+# Bash used in this check for simplicty of math operations.
 # excessive-capabilities.sh checks that no more than the necessary
 # NET_ADMIN NET_BIND_SERVICE and NET_RAW capabilities are present.

 # Get bounding capabilities from /proc/self/status (what can be acquired)
-BND_HEX=$(grep '^CapBnd:' /proc/self/status | awk '{print $2}' | tr -d '\t')
+BND_HEX=$(grep '^CapBnd:' /proc/self/status 2>/dev/null | awk '{print $2}' | tr -d '\t')  
+
+if [ -z "$BND_HEX" ]; then
+    exit 0
+fi

 # Convert hex to decimal
-BND_DEC=$(( 16#$BND_HEX ))
+BND_DEC=$(( 16#$BND_HEX )) || exit 0  

 # Allowed capabilities: NET_BIND_SERVICE (10), NET_ADMIN (12), NET_RAW (13)
 ALLOWED_DEC=$(( ( 1 << 10 )  | ( 1 << 12 ) | ( 1 << 13 ) ))