Kernel capabilities(7)
groups syscalls in 38 groups
Add only required capabilities:
docker run -it --rm \
--cap-add SYS_ADMIN \
alpine
Or at least, remove unneeded capabilities:
docker run -it --rm \
--cap-drop SYS_ADMIN \
alpine
All capabilities is equivalent to privileged
–
Specifying required capabilities:
docker run -it --rm --cap-add SYS_ADMIN ubuntu:xenial
Check default capabilities of processes in privileged container:
docker run --rm --privileged ubuntu:xenial \
bash -c 'getpcaps $$'
Drop all capabilities if not required:
docker run --rm --privileged ubuntu:xenial \
bash -c 'capsh --inh="" --drop="all" -- -c "getpcaps $$"'