Why is requiring that all capabilities be dropped in a Kubernetes PodSecurityPolicy redundant with non-root + disallow privilege escalation?










0















The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet



...
spec:
privileged: false
# Required to prevent escalations to root.
allowPrivilegeEscalation: false
# This is redundant with non-root + disallow privilege escalation,
# but we can provide it for defense in depth.
requiredDropCapabilities:
- ALL
...


Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?



It seems like this is not possible with Docker:



$ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
CapInh: 00000000a82425fb
CapPrm: 0000000000000000
CapEff: 0000000000000000
CapBnd: 00000000a82425fb
CapAmb: 0000000000000000


All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?










share|improve this question




























    0















    The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet



    ...
    spec:
    privileged: false
    # Required to prevent escalations to root.
    allowPrivilegeEscalation: false
    # This is redundant with non-root + disallow privilege escalation,
    # but we can provide it for defense in depth.
    requiredDropCapabilities:
    - ALL
    ...


    Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?



    It seems like this is not possible with Docker:



    $ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
    CapInh: 00000000a82425fb
    CapPrm: 0000000000000000
    CapEff: 0000000000000000
    CapBnd: 00000000a82425fb
    CapAmb: 0000000000000000


    All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?










    share|improve this question


























      0












      0








      0








      The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet



      ...
      spec:
      privileged: false
      # Required to prevent escalations to root.
      allowPrivilegeEscalation: false
      # This is redundant with non-root + disallow privilege escalation,
      # but we can provide it for defense in depth.
      requiredDropCapabilities:
      - ALL
      ...


      Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?



      It seems like this is not possible with Docker:



      $ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
      CapInh: 00000000a82425fb
      CapPrm: 0000000000000000
      CapEff: 0000000000000000
      CapBnd: 00000000a82425fb
      CapAmb: 0000000000000000


      All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?










      share|improve this question
















      The second example policy from the PodSecurityPolicy documentation consists of the following PodSecurityPolicy snippet



      ...
      spec:
      privileged: false
      # Required to prevent escalations to root.
      allowPrivilegeEscalation: false
      # This is redundant with non-root + disallow privilege escalation,
      # but we can provide it for defense in depth.
      requiredDropCapabilities:
      - ALL
      ...


      Why is dropping all capabilities redundant for non-root + disallow privilege escalation? You can have a container process without privilege escalation that is non-root but has effective capabilities right?



      It seems like this is not possible with Docker:



      $ docker run --cap-add SYS_ADMIN --user 1000 ubuntu grep Cap /proc/self/status
      CapInh: 00000000a82425fb
      CapPrm: 0000000000000000
      CapEff: 0000000000000000
      CapBnd: 00000000a82425fb
      CapAmb: 0000000000000000


      All effective capabilities have been dropped even when trying to explicitly add them. But other container runtimes could implement it, so is this comment just Docker specific?







      docker kubernetes containers linux-capabilities






      share|improve this question















      share|improve this question













      share|improve this question




      share|improve this question








      edited Nov 16 '18 at 18:20









      Rico

      28.7k95168




      28.7k95168










      asked Nov 15 '18 at 21:23









      dippynarkdippynark

      740316




      740316






















          1 Answer
          1






          active

          oldest

          votes


















          1















          Why is dropping all capabilities redundant for non-root + disallow privilege escalation?




          Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
          clone, and execve and cannot be unset"
          . More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.



          The equivalent Docker options here are:




          • --user=whatever => privileged: false


          • --security-opt=no-new-privileges => allowPrivilegeEscalation: false


          • --cap-drop=all => requiredDropCapabilities: [ALL]


          It seems like this is not possible with Docker




          That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN



          This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.



          Note that it seems like the default capability mask for docker includes SYS_ADMIN



          $ docker run --rm ubuntu grep Cap /proc/self/status
          CapInh: 00000000a80425fb
          CapPrm: 00000000a80425fb
          CapEff: 00000000a80425fb
          CapBnd: 00000000a80425fb
          CapAmb: 0000000000000000
          $ capsh --decode=00000000a82425fb
          0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap


          Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.




          But other container runtimes could implement it, so is this comment just Docker specific?




          I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)






          share|improve this answer

























          • why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally

            – dippynark
            Nov 16 '18 at 7:38











          • Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.

            – Rico
            Nov 16 '18 at 15:32











          • That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.

            – dippynark
            Nov 16 '18 at 15:58











          • Right, I meant new capabilities, so that combined with privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000

            – Rico
            Nov 16 '18 at 17:03






          • 1





            Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>

            – Rico
            Nov 17 '18 at 19:03










          Your Answer






          StackExchange.ifUsing("editor", function ()
          StackExchange.using("externalEditor", function ()
          StackExchange.using("snippets", function ()
          StackExchange.snippets.init();
          );
          );
          , "code-snippets");

          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "1"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          autoActivateHeartbeat: false,
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader:
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          ,
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













          draft saved

          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53328090%2fwhy-is-requiring-that-all-capabilities-be-dropped-in-a-kubernetes-podsecuritypol%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes









          1















          Why is dropping all capabilities redundant for non-root + disallow privilege escalation?




          Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
          clone, and execve and cannot be unset"
          . More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.



          The equivalent Docker options here are:




          • --user=whatever => privileged: false


          • --security-opt=no-new-privileges => allowPrivilegeEscalation: false


          • --cap-drop=all => requiredDropCapabilities: [ALL]


          It seems like this is not possible with Docker




          That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN



          This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.



          Note that it seems like the default capability mask for docker includes SYS_ADMIN



          $ docker run --rm ubuntu grep Cap /proc/self/status
          CapInh: 00000000a80425fb
          CapPrm: 00000000a80425fb
          CapEff: 00000000a80425fb
          CapBnd: 00000000a80425fb
          CapAmb: 0000000000000000
          $ capsh --decode=00000000a82425fb
          0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap


          Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.




          But other container runtimes could implement it, so is this comment just Docker specific?




          I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)






          share|improve this answer

























          • why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally

            – dippynark
            Nov 16 '18 at 7:38











          • Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.

            – Rico
            Nov 16 '18 at 15:32











          • That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.

            – dippynark
            Nov 16 '18 at 15:58











          • Right, I meant new capabilities, so that combined with privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000

            – Rico
            Nov 16 '18 at 17:03






          • 1





            Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>

            – Rico
            Nov 17 '18 at 19:03















          1















          Why is dropping all capabilities redundant for non-root + disallow privilege escalation?




          Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
          clone, and execve and cannot be unset"
          . More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.



          The equivalent Docker options here are:




          • --user=whatever => privileged: false


          • --security-opt=no-new-privileges => allowPrivilegeEscalation: false


          • --cap-drop=all => requiredDropCapabilities: [ALL]


          It seems like this is not possible with Docker




          That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN



          This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.



          Note that it seems like the default capability mask for docker includes SYS_ADMIN



          $ docker run --rm ubuntu grep Cap /proc/self/status
          CapInh: 00000000a80425fb
          CapPrm: 00000000a80425fb
          CapEff: 00000000a80425fb
          CapBnd: 00000000a80425fb
          CapAmb: 0000000000000000
          $ capsh --decode=00000000a82425fb
          0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap


          Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.




          But other container runtimes could implement it, so is this comment just Docker specific?




          I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)






          share|improve this answer

























          • why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally

            – dippynark
            Nov 16 '18 at 7:38











          • Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.

            – Rico
            Nov 16 '18 at 15:32











          • That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.

            – dippynark
            Nov 16 '18 at 15:58











          • Right, I meant new capabilities, so that combined with privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000

            – Rico
            Nov 16 '18 at 17:03






          • 1





            Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>

            – Rico
            Nov 17 '18 at 19:03













          1












          1








          1








          Why is dropping all capabilities redundant for non-root + disallow privilege escalation?




          Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
          clone, and execve and cannot be unset"
          . More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.



          The equivalent Docker options here are:




          • --user=whatever => privileged: false


          • --security-opt=no-new-privileges => allowPrivilegeEscalation: false


          • --cap-drop=all => requiredDropCapabilities: [ALL]


          It seems like this is not possible with Docker




          That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN



          This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.



          Note that it seems like the default capability mask for docker includes SYS_ADMIN



          $ docker run --rm ubuntu grep Cap /proc/self/status
          CapInh: 00000000a80425fb
          CapPrm: 00000000a80425fb
          CapEff: 00000000a80425fb
          CapBnd: 00000000a80425fb
          CapAmb: 0000000000000000
          $ capsh --decode=00000000a82425fb
          0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap


          Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.




          But other container runtimes could implement it, so is this comment just Docker specific?




          I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)






          share|improve this answer
















          Why is dropping all capabilities redundant for non-root + disallow privilege escalation?




          Because you need privilege escalation to be able to use 'new' capabilities, an effectively allowPrivilegeEscalation: false is disabling setuid in the execve system call that prevents the use of any new capabilities. Also as shown in the docs: "Once the bit is set, it is inherited across fork,
          clone, and execve and cannot be unset"
          . More info here. This in combination with privileged: false renders requiredDropCapabilities: [ALL] redundant.



          The equivalent Docker options here are:




          • --user=whatever => privileged: false


          • --security-opt=no-new-privileges => allowPrivilegeEscalation: false


          • --cap-drop=all => requiredDropCapabilities: [ALL]


          It seems like this is not possible with Docker




          That's what looks like Docker is doing, the moment you specify a non-privileged user all of the effective capabilities are dropped (CapEff: 0000000000000000), even if you specify --cap-add SYS_ADMIN



          This combined with the --security-opt=no-new-privileges as an option renders --cap-drop=all redundant.



          Note that it seems like the default capability mask for docker includes SYS_ADMIN



          $ docker run --rm ubuntu grep Cap /proc/self/status
          CapInh: 00000000a80425fb
          CapPrm: 00000000a80425fb
          CapEff: 00000000a80425fb
          CapBnd: 00000000a80425fb
          CapAmb: 0000000000000000
          $ capsh --decode=00000000a82425fb
          0x00000000a82425fb=cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_sys_admin,cap_mknod,cap_audit_write,cap_setfcap


          Which would make sense why the 00000000a82425fb is the same without specifying any --cap-add option.




          But other container runtimes could implement it, so is this comment just Docker specific?




          I suppose, so you could have a case where privileged: false and allowPrivilegeEscalation: false not effectively disabling capabilities and that could be dropped with requiredDropCapabilities:. (Although, I don't see why another runtime would want to change the Docker behavior)







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Dec 5 '18 at 19:04

























          answered Nov 16 '18 at 1:27









          RicoRico

          28.7k95168




          28.7k95168












          • why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally

            – dippynark
            Nov 16 '18 at 7:38











          • Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.

            – Rico
            Nov 16 '18 at 15:32











          • That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.

            – dippynark
            Nov 16 '18 at 15:58











          • Right, I meant new capabilities, so that combined with privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000

            – Rico
            Nov 16 '18 at 17:03






          • 1





            Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>

            – Rico
            Nov 17 '18 at 19:03

















          • why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally

            – dippynark
            Nov 16 '18 at 7:38











          • Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.

            – Rico
            Nov 16 '18 at 15:32











          • That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.

            – dippynark
            Nov 16 '18 at 15:58











          • Right, I meant new capabilities, so that combined with privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000

            – Rico
            Nov 16 '18 at 17:03






          • 1





            Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>

            – Rico
            Nov 17 '18 at 19:03
















          why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally

          – dippynark
          Nov 16 '18 at 7:38





          why do you need privilege escalation to use capabilities? Capabilities can be inherited from forking without either the parent or child needing to escalate privileges through an exec - if you do need privilege escalation to use capabilities this is no longer Docker specific, it applies to Linux more generally

          – dippynark
          Nov 16 '18 at 7:38













          Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.

          – Rico
          Nov 16 '18 at 15:32





          Yes, it is a Linux thing. Quoted from the link above: "Once the bit is set, it is inherited across fork, clone, and execve and cannot be unset". So whatever is forked even if it's inheriting capabilities, it wouldn't be able to effectively use them.

          – Rico
          Nov 16 '18 at 15:32













          That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.

          – dippynark
          Nov 16 '18 at 15:58





          That doesn't mean it can't use capabilities, it means the process can't gain more capabilities through an exec - so if a container starts with the capabilities it needs, then setting the no_new_privs bit doesn't prevent it from retaining and using those capabilities, even over forks/clones etc.

          – dippynark
          Nov 16 '18 at 15:58













          Right, I meant new capabilities, so that combined with privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000

          – Rico
          Nov 16 '18 at 17:03





          Right, I meant new capabilities, so that combined with privileged: false renders requiredDropCapabilities: ALL redundant. I suppose that's what docker is doing when you specify --user 1000

          – Rico
          Nov 16 '18 at 17:03




          1




          1





          Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>

          – Rico
          Nov 17 '18 at 19:03





          Yes. I agree. The only thing is that I can't see why another runtime would want to change this behavior but it's possible. Where effective capabilities would not be dropped with priviledged: false + allowPrivilegeEscalation: false and keep some capabilities that would be able to be dropped by requiredDropCapabilities: <something>

          – Rico
          Nov 17 '18 at 19:03



















          draft saved

          draft discarded
















































          Thanks for contributing an answer to Stack Overflow!


          • Please be sure to answer the question. Provide details and share your research!

          But avoid


          • Asking for help, clarification, or responding to other answers.

          • Making statements based on opinion; back them up with references or personal experience.

          To learn more, see our tips on writing great answers.




          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53328090%2fwhy-is-requiring-that-all-capabilities-be-dropped-in-a-kubernetes-podsecuritypol%23new-answer', 'question_page');

          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Top Tejano songwriter Luis Silva dead of heart attack at 64

          政党

          天津地下鉄3号線