From bf7a3f010443ecd614baf0450c3193b1f5e52bc2 Mon Sep 17 00:00:00 2001 From: Justin Cormack Date: Wed, 17 Aug 2016 21:16:54 +0100 Subject: [PATCH] Split list of capabilities into those added by default and those not The documentation was a bit unhelpful as to what are the default capabilities, so split. Signed-off-by: Justin Cormack --- docs/reference/run.md | 38 ++++++++++++++++++++++---------------- 1 file changed, 22 insertions(+), 16 deletions(-) diff --git a/docs/reference/run.md b/docs/reference/run.md index 87fb0e8c81..005a87c8db 100644 --- a/docs/reference/run.md +++ b/docs/reference/run.md @@ -1138,11 +1138,30 @@ This can be overridden using a third `:rwm` set of options to each `--device` fl In addition to `--privileged`, the operator can have fine grain control over the capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a default -list of capabilities that are kept. The following table lists the Linux capability options which can be added or dropped. +list of capabilities that are kept. The following table lists the Linux capability +options which are allowed by default and can be dropped. | Capability Key | Capability Description | | ---------------- | ----------------------------------------------------------------------------------------------------------------------------- | | SETPCAP | Modify process capabilities. | +| MKNOD | Create special files using mknod(2). | +| AUDIT_WRITE | Write records to kernel auditing log. | +| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). | +| NET_RAW | Use RAW and PACKET sockets. | +| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. | +| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. | +| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. | +| KILL | Bypass permission checks for sending signals. | +| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. | +| SETUID | Make arbitrary manipulations of process UIDs. | +| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). | +| SYS_CHROOT | Use chroot(2), change root directory. | +| SETFCAP | Set file capabilities. | + +The next table shows the capabilities which are not granted by default and may be added. + +| Capability Key | Capability Description | +| ---------------- | ----------------------------------------------------------------------------------------------------------------------------- | | SYS_MODULE | Load and unload kernel modules. | | SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). | | SYS_PACCT | Use acct(2), switch process accounting on or off. | @@ -1151,36 +1170,23 @@ list of capabilities that are kept. The following table lists the Linux capabili | SYS_RESOURCE | Override resource Limits. | | SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. | | SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. | -| MKNOD | Create special files using mknod(2). | -| AUDIT_WRITE | Write records to kernel auditing log. | | AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. | | MAC_OVERRIDE | Allow MAC configuration or state changes. Implemented for the Smack LSM. | | MAC_ADMIN | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). | | NET_ADMIN | Perform various network-related operations. | | SYSLOG | Perform privileged syslog(2) operations. | -| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). | -| NET_RAW | Use RAW and PACKET sockets. | -| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. | -| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. | | DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. | -| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. | -| KILL | Bypass permission checks for sending signals. | -| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. | -| SETUID | Make arbitrary manipulations of process UIDs. | | LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. | -| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). | | NET_BROADCAST | Make socket broadcasts, and listen to multicasts. | | IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). | | IPC_OWNER | Bypass permission checks for operations on System V IPC objects. | -| SYS_CHROOT | Use chroot(2), change root directory. | | SYS_PTRACE | Trace arbitrary processes using ptrace(2). | | SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. | | LEASE | Establish leases on arbitrary files (see fcntl(2)). | -| SETFCAP | Set file capabilities. | | WAKE_ALARM | Trigger something that will wake up the system. | -| BLOCK_SUSPEND | Employ features that can block system suspend. +| BLOCK_SUSPEND | Employ features that can block system suspend. | -Further reference information is available on the [capabilities(7) - Linux man page](http://linux.die.net/man/7/capabilities) +Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) Both flags support the value `ALL`, so if the operator wants to have all capabilities but `MKNOD` they could use: