Why is requiring that all capabilities be dropped in a Kubernetes PodSecurityPolicy redundant with non-root + disallow privilege escalation?
The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet
...
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
...
Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?
It seems like this is not possible with Docker:
$ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
CapInh: 00000000a82425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a82425fb
CapAmb: 0000000000000000
All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?
docker
kubernetes containers linux-capabilities edited Nov 16 '18 at 18:20
Rico
28.7k95168
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
add a comment |
The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet
...
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
...
Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?
It seems like this is not possible with Docker:
$ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
CapInh: 00000000a82425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a82425fb
CapAmb: 0000000000000000
All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?
docker
kubernetes containers linux-capabilities edited Nov 16 '18 at 18:20
Rico
28.7k95168
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
add a comment |
The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet
...
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
...
Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?
It seems like this is not possible with Docker:
$ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
CapInh: 00000000a82425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a82425fb
CapAmb: 0000000000000000
All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?
docker
kubernetes containers linux-capabilities edited Nov 16 '18 at 18:20
Rico
28.7k95168
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet
...
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
...
Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?
It seems like this is not possible with Docker:
$ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
CapInh: 00000000a82425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a82425fb
CapAmb: 0000000000000000
All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?
docker
kubernetes containers linux-capabilities docker
kubernetes containers linux-capabilities edited Nov 16 '18 at 18:20
Rico
28.7k95168
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
edited Nov 16 '18 at 18:20
Rico
28.7k95168
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
edited Nov 16 '18 at 18:20
Rico
28.7k95168
edited Nov 16 '18 at 18:20
Rico
28.7k95168
edited Nov 16 '18 at 18:20
Rico
28.7k95168
28.7k95168
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
asked Nov 15 '18 at 21:23
dippynarkdippynark
740316
740316
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
Why is dropping all capabilities redundant for non-root + disallow privilege escalation?
Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
clone, and execve and cannot be unset". More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.
The equivalent Docker options here are:
--user=whatever=>privileged: false--security-opt=no-new-privileges=>allowPrivilegeEscalation: false--cap-drop=all=>requiredDropCapabilities: [ALL]
It seems like this is not possible with Docker
That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN
This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.
Note that it seems like the default capability mask for docker includes SYS_ADMIN
$ docker run --rm ubuntu grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
$ capsh --decode=00000000a82425fb
0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.
But other container runtimes could implement it, so is this comment just Docker specific?
I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally
– dippynark
Nov 16 '18 at 7:38
Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.
– Rico
Nov 16 '18 at 15:32
That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting theno_new_privsbit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.
– dippynark
Nov 16 '18 at 15:58
Right, I meant new capabilities, so that combined withprivileged: falserendersrequiredDropCapabilities: ALLredundant. I suppose that's what docker is doing when you specify--user 1000
– Rico
Nov 16 '18 at 17:03
1
Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped withpriviledged: false+allowPrivilegeEscalation: falseand keep some capabilities that would be able to be dropped byrequiredDropCapabilities: <something>
– Rico
Nov 17 '18 at 19:03
|
show 2 more comments
Your Answer
StackExchange.ifUsing("editor", function ()
StackExchange.using("externalEditor", function ()
StackExchange.using("snippets", function ()
StackExchange.snippets.init();
);
);
, "code-snippets");
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "1"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53328090%2fwhy-is-requiring-that-all-capabilities-be-dropped-in-a-kubernetes-podsecuritypol%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Why is dropping all capabilities redundant for non-root + disallow privilege escalation?
Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
clone, and execve and cannot be unset". More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.
The equivalent Docker options here are:
--user=whatever=>privileged: false--security-opt=no-new-privileges=>allowPrivilegeEscalation: false--cap-drop=all=>requiredDropCapabilities: [ALL]
It seems like this is not possible with Docker
That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN
This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.
Note that it seems like the default capability mask for docker includes SYS_ADMIN
$ docker run --rm ubuntu grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
$ capsh --decode=00000000a82425fb
0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.
But other container runtimes could implement it, so is this comment just Docker specific?
I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally
– dippynark
Nov 16 '18 at 7:38
Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.
– Rico
Nov 16 '18 at 15:32
That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting theno_new_privsbit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.
– dippynark
Nov 16 '18 at 15:58
Right, I meant new capabilities, so that combined withprivileged: falserendersrequiredDropCapabilities: ALLredundant. I suppose that's what docker is doing when you specify--user 1000
– Rico
Nov 16 '18 at 17:03
1
Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped withpriviledged: false+allowPrivilegeEscalation: falseand keep some capabilities that would be able to be dropped byrequiredDropCapabilities: <something>
– Rico
Nov 17 '18 at 19:03
|
show 2 more comments
Why is dropping all capabilities redundant for non-root + disallow privilege escalation?
Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
clone, and execve and cannot be unset". More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.
The equivalent Docker options here are:
--user=whatever=>privileged: false--security-opt=no-new-privileges=>allowPrivilegeEscalation: false--cap-drop=all=>requiredDropCapabilities: [ALL]
It seems like this is not possible with Docker
That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN
This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.
Note that it seems like the default capability mask for docker includes SYS_ADMIN
$ docker run --rm ubuntu grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
$ capsh --decode=00000000a82425fb
0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.
But other container runtimes could implement it, so is this comment just Docker specific?
I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally
– dippynark
Nov 16 '18 at 7:38
Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.
– Rico
Nov 16 '18 at 15:32
That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting theno_new_privsbit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.
– dippynark
Nov 16 '18 at 15:58
Right, I meant new capabilities, so that combined withprivileged: falserendersrequiredDropCapabilities: ALLredundant. I suppose that's what docker is doing when you specify--user 1000
– Rico
Nov 16 '18 at 17:03
1
Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped withpriviledged: false+allowPrivilegeEscalation: falseand keep some capabilities that would be able to be dropped byrequiredDropCapabilities: <something>
– Rico
Nov 17 '18 at 19:03
|
show 2 more comments
Why is dropping all capabilities redundant for non-root + disallow privilege escalation?
Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
clone, and execve and cannot be unset". More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.
The equivalent Docker options here are:
--user=whatever=>privileged: false--security-opt=no-new-privileges=>allowPrivilegeEscalation: false--cap-drop=all=>requiredDropCapabilities: [ALL]
It seems like this is not possible with Docker
That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN
This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.
Note that it seems like the default capability mask for docker includes SYS_ADMIN
$ docker run --rm ubuntu grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
$ capsh --decode=00000000a82425fb
0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.
But other container runtimes could implement it, so is this comment just Docker specific?
I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
Why is dropping all capabilities redundant for non-root + disallow privilege escalation?
Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
clone, and execve and cannot be unset". More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.
The equivalent Docker options here are:
--user=whatever=>privileged: false--security-opt=no-new-privileges=>allowPrivilegeEscalation: false--cap-drop=all=>requiredDropCapabilities: [ALL]
It seems like this is not possible with Docker
That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN
This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.
Note that it seems like the default capability mask for docker includes SYS_ADMIN
$ docker run --rm ubuntu grep Cap /proc/self/status
CapInh: 00000000a80425fb
CapPrm: 00000000a80425fb
CapEff: 00000000a80425fb
CapBnd: 00000000a80425fb
CapAmb: 0000000000000000
$ capsh --decode=00000000a82425fb
0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap
Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.
But other container runtimes could implement it, so is this comment just Docker specific?
I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
edited Dec 5 '18 at 19:04
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
answered Nov 16 '18 at 1:27
RicoRico
28.7k95168
28.7k95168
why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally
– dippynark
Nov 16 '18 at 7:38
Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.
– Rico
Nov 16 '18 at 15:32
That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting theno_new_privsbit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.
– dippynark
Nov 16 '18 at 15:58
Right, I meant new capabilities, so that combined withprivileged: falserendersrequiredDropCapabilities: ALLredundant. I suppose that's what docker is doing when you specify--user 1000
– Rico
Nov 16 '18 at 17:03
1
Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped withpriviledged: false+allowPrivilegeEscalation: falseand keep some capabilities that would be able to be dropped byrequiredDropCapabilities: <something>
– Rico
Nov 17 '18 at 19:03
|
show 2 more comments
why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally
– dippynark
Nov 16 '18 at 7:38
Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.
– Rico
Nov 16 '18 at 15:32
That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting theno_new_privsbit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.
– dippynark
Nov 16 '18 at 15:58
Right, I meant new capabilities, so that combined withprivileged: falserendersrequiredDropCapabilities: ALLredundant. I suppose that's what docker is doing when you specify--user 1000
– Rico
Nov 16 '18 at 17:03
1
Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped withpriviledged: false+allowPrivilegeEscalation: falseand keep some capabilities that would be able to be dropped byrequiredDropCapabilities: <something>
– Rico
Nov 17 '18 at 19:03
why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally
– dippynark
Nov 16 '18 at 7:38
why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally
– dippynark
Nov 16 '18 at 7:38
Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.
– Rico
Nov 16 '18 at 15:32
Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.
– Rico
Nov 16 '18 at 15:32
That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the
no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.– dippynark
Nov 16 '18 at 15:58
That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the
no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.– dippynark
Nov 16 '18 at 15:58
Right, I meant new capabilities, so that combined with
privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000– Rico
Nov 16 '18 at 17:03
Right, I meant new capabilities, so that combined with
privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000– Rico
Nov 16 '18 at 17:03
1
1
Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with
priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>– Rico
Nov 17 '18 at 19:03
Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with
priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>– Rico
Nov 17 '18 at 19:03
|
show 2 more comments
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53328090%2fwhy-is-requiring-that-all-capabilities-be-dropped-in-a-kubernetes-podsecuritypol%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
