• Cartoon showing a light purple os-tree icon on the left and a dark purple gradiated os-tree icon on the right. a large purple arrow is pointing from the one on the left to the one on the right. the os-tree icon on the right has a septagon with the words OCI on it, representing an OCI contianer image modifying the os-tree it depicts. The podman selkie seals cartoon is inbetween the two icons under the arrow. The background is purple and the seals are in blue water.

Dropping Capabilities, making containers more secure.

You might not know this but Podman has been running with less capabilities then Docker for a while now. Not only does Podman default to running rootless but even in rootless mode, it runs tighter then Docker. Docker runs with 14 root capabilities while Podman runs with 10.

However, this has been via distribution defaults rather then built in defaults. Fedora, RHEL, Centos and other distributions based on the Fedora containers-common rpm have been shipping with the following list of capabilities in /usr/share/containers/containers.conf.

default_capabilities = ["CHOWN",  "DAC_OVERRIDE", "FOWNER",  "FSETID",  "KILL",  "NET_BIND_SERVICE",  "SETFCAP",  "SETGID",  "SETPCAP",  "SETUID"]


Other distributions are able to ship their own defaults. This week I changed the default in container/common, so that the builtin defaults will now be just the 10 capabilities. This means that when Podman 4.4 ships all distributions will use these defaults unless they override them in their containers.conf files.

What were the four that we dropped?

CAP_CHROOT : Allows processes inside of the container to setup a chroot. We have seen very few containers of the years which needed this capability.

CAP_AUDIT_WRITE: Allows processes to modify and write to the audit subsystems. When people try to run sshd inside of a container, it might need this capability.

CAP_MKNOD: This allows container processes to create device nodes. Device nodes are created by Podman, and it is considered dangerous to allow processes to create device nodes.

CAP_NET_RAW: This allows container processes to formulate their own network packets. This is very dangerous since it could trigger errors in the network stack. Was needed for ping, but we have added a sysctl to allow pinging without CAP_NET_RAW.


# A list of sysctls to be set in containers by default,
# specified as “name=value”
# for example:”net.ipv4.ping_group_range=0 0″.
#
default_sysctls = [
“net.ipv4.ping_group_range=0 0”,
]

If your container needs one of these capabilities, it is easy to add one back.

podman run –cap-add NET_RAW …


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe

Sign up with your email address to receive updates by email from this website.


Categories


Search