Merge pull request #2726 from thaJeztah/add_new_caps
Add docs and bash-completion for new Linux capabilities
This commit is contained in:
Tõnis Tiigi
GitHub
commit
ee360d3998
@ -837,6 +837,8 @@ __docker_complete_capabilities_addable() {
|
|||||||
CAP_AUDIT_CONTROL
|
CAP_AUDIT_CONTROL
|
||||||
CAP_AUDIT_READ
|
CAP_AUDIT_READ
|
||||||
CAP_BLOCK_SUSPEND
|
CAP_BLOCK_SUSPEND
|
||||||
|
CAP_BPF
|
||||||
|
CAP_CHECKPOINT_RESTORE
|
||||||
CAP_DAC_READ_SEARCH
|
CAP_DAC_READ_SEARCH
|
||||||
CAP_IPC_LOCK
|
CAP_IPC_LOCK
|
||||||
CAP_IPC_OWNER
|
CAP_IPC_OWNER
|
||||||
@ -846,6 +848,7 @@ __docker_complete_capabilities_addable() {
|
|||||||
CAP_MAC_OVERRIDE
|
CAP_MAC_OVERRIDE
|
||||||
CAP_NET_ADMIN
|
CAP_NET_ADMIN
|
||||||
CAP_NET_BROADCAST
|
CAP_NET_BROADCAST
|
||||||
|
CAP_PERFMON
|
||||||
CAP_SYS_ADMIN
|
CAP_SYS_ADMIN
|
||||||
CAP_SYS_BOOT
|
CAP_SYS_BOOT
|
||||||
CAP_SYSLOG
|
CAP_SYSLOG
|
||||||
|
|||||||
@ -1285,53 +1285,57 @@ capabilities using `--cap-add` and `--cap-drop`. By default, Docker has a defaul
|
|||||||
list of capabilities that are kept. The following table lists the Linux capability
|
list of capabilities that are kept. The following table lists the Linux capability
|
||||||
options which are allowed by default and can be dropped.
|
options which are allowed by default and can be dropped.
|
||||||
|
|
||||||
| Capability Key | Capability Description |
|
| Capability Key | Capability Description |
|
||||||
|:-----------------|:------------------------------------------------------------------------------------------------------------------------------|
|
|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| AUDIT_WRITE | Write records to kernel auditing log. |
|
| AUDIT_WRITE | Write records to kernel auditing log. |
|
||||||
| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
|
| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
|
||||||
| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
|
| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
|
||||||
| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
|
| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
|
||||||
| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. |
|
| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. |
|
||||||
| KILL | Bypass permission checks for sending signals. |
|
| KILL | Bypass permission checks for sending signals. |
|
||||||
| MKNOD | Create special files using mknod(2). |
|
| MKNOD | Create special files using mknod(2). |
|
||||||
| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
|
| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
|
||||||
| NET_RAW | Use RAW and PACKET sockets. |
|
| NET_RAW | Use RAW and PACKET sockets. |
|
||||||
| SETFCAP | Set file capabilities. |
|
| SETFCAP | Set file capabilities. |
|
||||||
| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
|
| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
|
||||||
| SETPCAP | Modify process capabilities. |
|
| SETPCAP | Modify process capabilities. |
|
||||||
| SETUID | Make arbitrary manipulations of process UIDs. |
|
| SETUID | Make arbitrary manipulations of process UIDs. |
|
||||||
| SYS_CHROOT | Use chroot(2), change root directory. |
|
| SYS_CHROOT | Use chroot(2), change root directory. |
|
||||||
|
|
||||||
The next table shows the capabilities which are not granted by default and may be added.
|
The next table shows the capabilities which are not granted by default and may be added.
|
||||||
|
|
||||||
| Capability Key | Capability Description |
|
| Capability Key | Capability Description |
|
||||||
|:----------------|:----------------------------------------------------------------------------------------------------------------|
|
|:----------------------|:-------------------------------------------------------------------------------------------------------------------------------|
|
||||||
| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
|
| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
|
||||||
| AUDIT_READ | Allow reading audit messages from the kernel. |
|
| AUDIT_READ | Allow reading the audit log via multicast netlink socket. |
|
||||||
| BLOCK_SUSPEND | Employ features that can block system suspend. |
|
| BLOCK_SUSPEND | Allow preventing system suspends. |
|
||||||
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
|
| BPF | Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. |
|
||||||
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
|
| CHECKPOINT_RESTORE | Allow checkpoint/restore related operations. Introduced in kernel 5.9. |
|
||||||
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
|
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
|
||||||
| LEASE | Establish leases on arbitrary files (see fcntl(2)). |
|
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
|
||||||
| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
|
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
|
||||||
| MAC_ADMIN | Allow MAC configuration or state changes. Implemented for the Smack LSM. |
|
| LEASE | Establish leases on arbitrary files (see fcntl(2)). |
|
||||||
| MAC_OVERRIDE | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
|
| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
|
||||||
| NET_ADMIN | Perform various network-related operations. |
|
| MAC_ADMIN | Allow MAC configuration or state changes. Implemented for the Smack LSM. |
|
||||||
| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
|
| MAC_OVERRIDE | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
|
||||||
| SYS_ADMIN | Perform a range of system administration operations. |
|
| NET_ADMIN | Perform various network-related operations. |
|
||||||
| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
|
| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
|
||||||
| SYS_MODULE | Load and unload kernel modules. |
|
| PERFMON | Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems |
|
||||||
| SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
|
| SYS_ADMIN | Perform a range of system administration operations. |
|
||||||
| SYS_PACCT | Use acct(2), switch process accounting on or off. |
|
| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
|
||||||
| SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
|
| SYS_MODULE | Load and unload kernel modules. |
|
||||||
| SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
|
| SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
|
||||||
| SYS_RESOURCE | Override resource Limits. |
|
| SYS_PACCT | Use acct(2), switch process accounting on or off. |
|
||||||
| SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
|
| SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
|
||||||
| SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
|
| SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
|
||||||
| SYSLOG | Perform privileged syslog(2) operations. |
|
| SYS_RESOURCE | Override resource Limits. |
|
||||||
| WAKE_ALARM | Trigger something that will wake up the system. |
|
| SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
|
||||||
|
| SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
|
||||||
|
| SYSLOG | Perform privileged syslog(2) operations. |
|
||||||
|
| WAKE_ALARM | Trigger something that will wake up the system. |
|
||||||
|
|
||||||
Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
|
Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html),
|
||||||
|
and in the [Linux kernel source code](https://github.com/torvalds/linux/blob/124ea650d3072b005457faed69909221c2905a1f/include/uapi/linux/capability.h).
|
||||||
|
|
||||||
Both flags support the value `ALL`, so to allow a container to use all capabilities
|
Both flags support the value `ALL`, so to allow a container to use all capabilities
|
||||||
except for `MKNOD`:
|
except for `MKNOD`:
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user