From 72e770150ed04ca6fd026c2e62033c1401b16509 Mon Sep 17 00:00:00 2001
From: Conan Scott <conanscott@gmail.com>
Date: Mon, 12 Jan 2026 20:27:36 +1100
Subject: [PATCH] Added privesc for stupid, stupid s6 for plex

---
 manifests/scc/.DS_Store                       | Bin 6148 -> 10244 bytes
 ...tricted--hostpath-rolebinding-privesc.yaml |  12 ++++++
 .../scc-restricted--hostpath-rolebinding.yaml |   4 +-
 .../scc/scc-restricted-hostpath-privesc.yaml  |  38 ++++++++++++++++++
 4 files changed, 52 insertions(+), 2 deletions(-)
 create mode 100644 manifests/scc/scc-restricted--hostpath-rolebinding-privesc.yaml
 create mode 100644 manifests/scc/scc-restricted-hostpath-privesc.yaml

diff --git a/manifests/scc/.DS_Store b/manifests/scc/.DS_Store
index f17f369bffc9afb842e3b5d8cbe4399c28e7334c..5b39829cc7d69c5149b6a911be47296db9649d9c 100644
GIT binary patch
delta 448
zcmZoMXbF&DU|?W$DortDU{C-uIe-{M3-C-V6q~50$jGxXU^nw-1&%+=i`h9iCN{9J
z@&KjvCJV603hOfHGGs91GZZtFFcdH(0?CZY1}u`C3Jl3W(E^6b$sR1T8HrUZ!y3w{
ziO1Z{cx6>5YqEMwe#{~#jo~JshY;@BiC5l_EuK*Z<OV?uQ^0<~B?r_8wA*cSD9a{L
zV6n4oY>;IVWCn&55GZg130F{<ZWiSD&ODi4#B;Jg4~Ga7B)By|Y8V+93_$ec0+HUy
O7g=L)x&mR-Wkvua(OfeC

delta 108
zcmZn(XfcprU|?W$DortDU=RQ@Ie-{Mvv5r;6q~50$jGuWU^g=(%j7*`o|AKh*KEEk
u#>Tvuor6P=8K?>f1h|2OD@en}!tczJ`BgkY+8LN2MuALc*c{I@hZz7L91>Rm

diff --git a/manifests/scc/scc-restricted--hostpath-rolebinding-privesc.yaml b/manifests/scc/scc-restricted--hostpath-rolebinding-privesc.yaml
new file mode 100644
index 0000000..f4a415a
--- /dev/null
+++ b/manifests/scc/scc-restricted--hostpath-rolebinding-privesc.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: peanutflix-sa-restricted-hostpath
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: system:openshift:scc:restricted-hostpath
+subjects:
+  - kind: ServiceAccount
+    name: peanutflix-sa
+    namespace: peanutflix
\ No newline at end of file
diff --git a/manifests/scc/scc-restricted--hostpath-rolebinding.yaml b/manifests/scc/scc-restricted--hostpath-rolebinding.yaml
index f4a415a..ca89865 100644
--- a/manifests/scc/scc-restricted--hostpath-rolebinding.yaml
+++ b/manifests/scc/scc-restricted--hostpath-rolebinding.yaml
@@ -1,11 +1,11 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
-  name: peanutflix-sa-restricted-hostpath
+  name: peanutflix-sa-restricted-hostpath-privesc
 roleRef:
   apiGroup: rbac.authorization.k8s.io
   kind: ClusterRole
-  name: system:openshift:scc:restricted-hostpath
+  name: system:openshift:scc:restricted-hostpath-privesc
 subjects:
   - kind: ServiceAccount
     name: peanutflix-sa
diff --git a/manifests/scc/scc-restricted-hostpath-privesc.yaml b/manifests/scc/scc-restricted-hostpath-privesc.yaml
new file mode 100644
index 0000000..18ecb76
--- /dev/null
+++ b/manifests/scc/scc-restricted-hostpath-privesc.yaml
@@ -0,0 +1,38 @@
+apiVersion: security.openshift.io/v1
+kind: SecurityContextConstraints
+metadata:
+  name: restricted-hostpath-privesc
+allowHostDirVolumePlugin: true  # Needed for /dev/dri hostPath
+allowHostIPC: false
+allowHostNetwork: false
+allowHostPID: false
+allowHostPorts: false
+allowPrivilegeEscalation: true
+allowPrivilegedContainer: false
+allowedCapabilities: null
+defaultAddCapabilities: null
+fsGroup:
+  type: MustRunAs
+  ranges:
+    - min: 1000
+      max: 2000
+readOnlyRootFilesystem: false
+requiredDropCapabilities:
+  - ALL
+runAsUser:
+  type: MustRunAsRange
+  uidRangeMin: 1000
+  uidRangeMax: 2000
+seLinuxContext:
+  type: MustRunAs
+supplementalGroups:
+  type: RunAsAny
+volumes:
+  - configMap
+  - downwardAPI
+  - emptyDir
+  - hostPath  # This is what distinguishes it from restricted-s6
+  - persistentVolumeClaim
+  - projected
+  - secret
+priority: 6  # Higher than restricted-s6 (5) due to hostPath access
\ No newline at end of file