Capabilities turn the binary "root/non-root" into a fine-grained access control system. Processes (like web servers) that just need to bind on a port below 1024 do not have to run as root, they can just be granted the net_bind_service capability instead.

Starting with kernel 2.2, Linux divides the privileges traditionally associated with superuser into distinct units, known as capabilities, which can be independently enabled and disabled.

Capabilities Demonstration

  • Let's run ping command in a container
docker run --rm -it alpine sh

ping -c 2

capabilities ping

  • Now, let's remove the CAP_NET_RAW capability and try again
docker run --rm -it --cap-drop=NET_RAW alpine sh

ping -c 2

capabilities ping drop

Checking for the list of capabilities

  • We can check the list of capabilities applied the container or system using the below command
docker run --rm -it 71aa5f3f90dc bash

capsh --print

capsh print

Running the full privileged container

  • Run the below command to start a privileged container
docker run --rm -it --privileged=true 71aa5f3f90dc bash

capsh --print

privileged container

  • It is possible to access the host devices from the privileged containers using more /dev/kmsg

The /dev/kmsg character device node provides userspace access to the kernel's printk buffer.

/dev/kmsg log

results matching ""

    No results matching ""