mark-stopka
commented
4 years ago Not sure how much capabilities you can drop, by default only these are enabled...
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
| SETPCAP | Modify process capabilities. |
|---|---|
| MKNOD | Create special files using mknod(2). |
| AUDIT_WRITE | Write records to kernel auditing log. |
| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
| NET_RAW | Use RAW and PACKET sockets. |
| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
| FSETID | Don’t clear set-user-ID and set-group-ID permission bits when a file is modified. |
| KILL | Bypass permission checks for sending signals. |
| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
| SETUID | Make arbitrary manipulations of process UIDs. |
| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
| SYS_CHROOT | Use chroot(2), change root directory. |
| SETFCAP | Set file capabilities. |
All other capabilities like the ones mentioned in the docker-compose link need to be explicitly added...
rhyslbw
Following on from #227:
https://docs.docker.com/compose/compose-file/#cap_add-cap_drop
Also consider more embedded solution to tighten security without external runtime params https://unit42.paloaltonetworks.com/non-root-containers-kubernetes-cve-2019-11245-care/