Capabilities

Capabilities

Kernel capabilities(7) groups syscalls in 38 groups

Add only required capabilities:

docker run -it --rm \
    --cap-add SYS_ADMIN \
    alpine

Or at least, remove unneeded capabilities:

docker run -it --rm \
    --cap-drop SYS_ADMIN \
    alpine

All capabilities is equivalent to privileged

Demo: Capabilities

Specifying required capabilities:

docker run -it --rm --cap-add SYS_ADMIN ubuntu:xenial

Check default capabilities of processes in privileged container:

docker run --rm --privileged ubuntu:xenial \
    bash -c 'getpcaps $$'

Drop all capabilities if not required:

docker run --rm --privileged ubuntu:xenial \
    bash -c 'capsh --inh="" --drop="all" -- -c "getpcaps $$"'