Browse code
Split list of capabilities into those added by default and those not
The documentation was a bit unhelpful as to what are the default
capabilities, so split.
Signed-off-by: Justin Cormack <justin.cormack@docker.com>
Justin Cormack authored on 2016/08/18 05:16:54Showing 1 changed files
| ... | ... |
@@ -1138,11 +1138,30 @@ This can be overridden using a third `:rwm` set of options to each `--device` fl |
| 1138 | 1138 |
|
| 1139 | 1139 |
In addition to `--privileged`, the operator can have fine grain control over the |
| 1140 | 1140 |
capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default |
| 1141 |
-list of capabilities that are kept. The following table lists the Linux capability options which can be added or dropped. |
|
| 1141 |
+list of capabilities that are kept. The following table lists the Linux capability |
|
| 1142 |
+options which are allowed by default and can be dropped. |
|
| 1142 | 1143 |
|
| 1143 | 1144 |
| Capability Key | Capability Description | |
| 1144 | 1145 |
| ---------------- | ----------------------------------------------------------------------------------------------------------------------------- | |
| 1145 | 1146 |
| SETPCAP | Modify process capabilities. | |
| 1147 |
+| MKNOD | Create special files using mknod(2). | |
|
| 1148 |
+| AUDIT_WRITE | Write records to kernel auditing log. | |
|
| 1149 |
+| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). | |
|
| 1150 |
+| NET_RAW | Use RAW and PACKET sockets. | |
|
| 1151 |
+| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. | |
|
| 1152 |
+| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. | |
|
| 1153 |
+| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. | |
|
| 1154 |
+| KILL | Bypass permission checks for sending signals. | |
|
| 1155 |
+| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. | |
|
| 1156 |
+| SETUID | Make arbitrary manipulations of process UIDs. | |
|
| 1157 |
+| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). | |
|
| 1158 |
+| SYS_CHROOT | Use chroot(2), change root directory. | |
|
| 1159 |
+| SETFCAP | Set file capabilities. | |
|
| 1160 |
+ |
|
| 1161 |
+The next table shows the capabilities which are not granted by default and may be added. |
|
| 1162 |
+ |
|
| 1163 |
+| Capability Key | Capability Description | |
|
| 1164 |
+| ---------------- | ----------------------------------------------------------------------------------------------------------------------------- | |
|
| 1146 | 1165 |
| SYS_MODULE | Load and unload kernel modules. | |
| 1147 | 1166 |
| SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). | |
| 1148 | 1167 |
| SYS_PACCT | Use acct(2), switch process accounting on or off. | |
| ... | ... |
@@ -1151,36 +1170,23 @@ list of capabilities that are kept. The following table lists the Linux capabili |
| 1151 | 1151 |
| SYS_RESOURCE | Override resource Limits. | |
| 1152 | 1152 |
| SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. | |
| 1153 | 1153 |
| SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. | |
| 1154 |
-| MKNOD | Create special files using mknod(2). | |
|
| 1155 |
-| AUDIT_WRITE | Write records to kernel auditing log. | |
|
| 1156 | 1154 |
| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. | |
| 1157 | 1155 |
| MAC_OVERRIDE | Allow MAC configuration or state changes. Implemented for the Smack LSM. | |
| 1158 | 1156 |
| MAC_ADMIN | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). | |
| 1159 | 1157 |
| NET_ADMIN | Perform various network-related operations. | |
| 1160 | 1158 |
| SYSLOG | Perform privileged syslog(2) operations. | |
| 1161 |
-| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). | |
|
| 1162 |
-| NET_RAW | Use RAW and PACKET sockets. | |
|
| 1163 |
-| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. | |
|
| 1164 |
-| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. | |
|
| 1165 | 1159 |
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. | |
| 1166 |
-| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. | |
|
| 1167 |
-| KILL | Bypass permission checks for sending signals. | |
|
| 1168 |
-| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. | |
|
| 1169 |
-| SETUID | Make arbitrary manipulations of process UIDs. | |
|
| 1170 | 1160 |
| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. | |
| 1171 |
-| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). | |
|
| 1172 | 1161 |
| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. | |
| 1173 | 1162 |
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). | |
| 1174 | 1163 |
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. | |
| 1175 |
-| SYS_CHROOT | Use chroot(2), change root directory. | |
|
| 1176 | 1164 |
| SYS_PTRACE | Trace arbitrary processes using ptrace(2). | |
| 1177 | 1165 |
| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. | |
| 1178 | 1166 |
| LEASE | Establish leases on arbitrary files (see fcntl(2)). | |
| 1179 |
-| SETFCAP | Set file capabilities. | |
|
| 1180 | 1167 |
| WAKE_ALARM | Trigger something that will wake up the system. | |
| 1181 |
-| BLOCK_SUSPEND | Employ features that can block system suspend. |
|
| 1168 |
+| BLOCK_SUSPEND | Employ features that can block system suspend. | |
|
| 1182 | 1169 |
|
| 1183 |
-Further reference information is available on the [capabilities(7) - Linux man page](http://linux.die.net/man/7/capabilities) |
|
| 1170 |
+Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) |
|
| 1184 | 1171 |
|
| 1185 | 1172 |
Both flags support the value `ALL`, so if the |
| 1186 | 1173 |
operator wants to have all capabilities but `MKNOD` they could use: |