Kernel capabilities(7)
organizes >300 syscalls in 38 groups
Docker allows capabilities to be configured per container
Having all capabilities is equivalent to privileged
Check default capabilities of processes in container:
docker run -it --rm ubuntu:xenial bash -c 'getpcaps $$'
Check default capabilities of processes in privileged container:
docker run -it --rm --privileged ubuntu:xenial bash -c 'getpcaps $$'
Add single capability:
docker run -it --rm --cap-add SYS_ADMIN ubuntu:xenial bash -c 'getpcaps $$'
Drop single capability:
docker run -it --rm --cap-drop NET_RAW ubuntu:xenial bash -c 'getpcaps $$'
Drop all capabilities in a privileged container:
docker run -it --rm --privileged ubuntu:xenial \
bash -c 'capsh --inh="" --drop="all" -- -c "getpcaps $$"'