Skip to content
This repository was archived by the owner on Oct 13, 2023. It is now read-only.

Commit fcc83c0

Browse files
silvin-lubeckisilvin-lubecki
authored
Merge pull request #2725 from thaJeztah/19.03_backport_update_caps_docs_and_completion
[19.03 backport] Update documentation on capabilities, and add missing CAP_AUDIT_READ Upstream-commit: c80dda68d87c907084c26a4f985d2eb75e69d0cb Component: cli
2 parents c9133e2 + 8ff047e commit fcc83c0

2 files changed

Lines changed: 33 additions & 23 deletions

File tree

  • components/cli

components/cli/contrib/completion/bash/docker

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -834,6 +834,7 @@ __docker_complete_capabilities_addable() {
834834
local capabilities=(
835835
ALL
836836
CAP_AUDIT_CONTROL
837+
CAP_AUDIT_READ
837838
CAP_BLOCK_SUSPEND
838839
CAP_DAC_READ_SEARCH
839840
CAP_IPC_LOCK

components/cli/docs/reference/run.md

Lines changed: 32 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -1287,58 +1287,67 @@ options which are allowed by default and can be dropped.
12871287
12881288
| Capability Key | Capability Description |
12891289
|:-----------------|:------------------------------------------------------------------------------------------------------------------------------|
1290-
| SETPCAP | Modify process capabilities. |
1291-
| MKNOD | Create special files using mknod(2). |
12921290
| AUDIT_WRITE | Write records to kernel auditing log. |
12931291
| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
1294-
| NET_RAW | Use RAW and PACKET sockets. |
12951292
| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
12961293
| FOWNER | Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file. |
12971294
| FSETID | Don't clear set-user-ID and set-group-ID permission bits when a file is modified. |
12981295
| KILL | Bypass permission checks for sending signals. |
1296+
| MKNOD | Create special files using mknod(2). |
1297+
| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
1298+
| NET_RAW | Use RAW and PACKET sockets. |
1299+
| SETFCAP | Set file capabilities. |
12991300
| SETGID | Make arbitrary manipulations of process GIDs and supplementary GID list. |
1301+
| SETPCAP | Modify process capabilities. |
13001302
| SETUID | Make arbitrary manipulations of process UIDs. |
1301-
| NET_BIND_SERVICE | Bind a socket to internet domain privileged ports (port numbers less than 1024). |
13021303
| SYS_CHROOT | Use chroot(2), change root directory. |
1303-
| SETFCAP | Set file capabilities. |
13041304
13051305
The next table shows the capabilities which are not granted by default and may be added.
13061306
13071307
| Capability Key | Capability Description |
13081308
|:----------------|:----------------------------------------------------------------------------------------------------------------|
1309-
| SYS_MODULE | Load and unload kernel modules. |
1310-
| SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
1311-
| SYS_PACCT | Use acct(2), switch process accounting on or off. |
1312-
| SYS_ADMIN | Perform a range of system administration operations. |
1313-
| SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
1314-
| SYS_RESOURCE | Override resource Limits. |
1315-
| SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
1316-
| SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
13171309
| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
1310+
| AUDIT_READ | Allow reading audit messages from the kernel. |
1311+
| BLOCK_SUSPEND | Employ features that can block system suspend. |
1312+
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
1313+
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
1314+
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
1315+
| LEASE | Establish leases on arbitrary files (see fcntl(2)). |
1316+
| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
13181317
| MAC_ADMIN | Allow MAC configuration or state changes. Implemented for the Smack LSM. |
13191318
| MAC_OVERRIDE | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
13201319
| NET_ADMIN | Perform various network-related operations. |
1321-
| SYSLOG | Perform privileged syslog(2) operations. |
1322-
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
1323-
| LINUX_IMMUTABLE | Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags. |
13241320
| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
1325-
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
1326-
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
1327-
| SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
1321+
| SYS_ADMIN | Perform a range of system administration operations. |
13281322
| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
1329-
| LEASE | Establish leases on arbitrary files (see fcntl(2)). |
1323+
| SYS_MODULE | Load and unload kernel modules. |
1324+
| SYS_NICE | Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes. |
1325+
| SYS_PACCT | Use acct(2), switch process accounting on or off. |
1326+
| SYS_PTRACE | Trace arbitrary processes using ptrace(2). |
1327+
| SYS_RAWIO | Perform I/O port operations (iopl(2) and ioperm(2)). |
1328+
| SYS_RESOURCE | Override resource Limits. |
1329+
| SYS_TIME | Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock. |
1330+
| SYS_TTY_CONFIG | Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals. |
1331+
| SYSLOG | Perform privileged syslog(2) operations. |
13301332
| WAKE_ALARM | Trigger something that will wake up the system. |
1331-
| BLOCK_SUSPEND | Employ features that can block system suspend. |
13321333
13331334
Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html)
13341335
1335-
Both flags support the value `ALL`, so if the
1336-
operator wants to have all capabilities but `MKNOD` they could use:
1336+
Both flags support the value `ALL`, so to allow a container to use all capabilities
1337+
except for `MKNOD`:
13371338
13381339
```bash
13391340
$ docker run --cap-add=ALL --cap-drop=MKNOD ...
13401341
```
13411342
1343+
The `--cap-add` and `--cap-drop` flags accept capabilities to be specified with
1344+
a `CAP_` prefix. The following examples are therefore equivalent:
1345+
1346+
```bash
1347+
$ docker run --cap-add=SYS_ADMIN ...
1348+
$ docker run --cap-add=CAP_SYS_ADMIN ...
1349+
```
1350+
13421351
For interacting with the network stack, instead of using `--privileged` they
13431352
should use `--cap-add=NET_ADMIN` to modify the network interfaces.
13441353

0 commit comments

Comments
 (0)