Open rhyslbw opened 4 years ago
Not sure how much capabilities you can drop, by default only these are enabled...
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
SETPCAP | Modify process capabilities. |
---|---|
MKNOD | Create special files using mknod(2). |
AUDIT_WRITE | Write records to kernel auditing log. |
CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
NET_RAW | Use RAW and PACKET sockets. |
DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
FSETID | Don’t clear set-user-ID and set-group-ID permission bits when a file is modified. |
KILL | Bypass permission checks for sending signals. |
SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
SETUID | Make arbitrary manipulations of process UIDs. |
NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
SYS_CHROOT | Use chroot(2), change root directory. |
SETFCAP | Set file capabilities. |
All other capabilities like the ones mentioned in the docker-compose
link need to be explicitly added...
Thanks @mark-stopka
Following on from #227:
https://docs.docker.com/compose/compose-file/#cap_add-cap_drop
Also consider more embedded solution to tighten security without external runtime params https://unit42.paloaltonetworks.com/non-root-containers-kubernetes-cve-2019-11245-care/