Description
Description
We would like to be configure the default capabilities to be more limited than the current default.
While working on hardening docker hosts, we found that the default linux capabilities were too open for our security policies. Rather than change the default for everyone we would like the ability to configure the default capabilities in the docker daemon. This will let us achieve our security objectives without changing the defaults for everyone.
Steps to reproduce the issue:
- docker run alpine
- Check the linux capabilites of the process.
Describe the results you received:
The process will have these capabilities:
CAP_CHOWN
CAP_DAC_OVERRIDE
CAP_FSETID
CAP_FOWNER
CAP_MKNOD
CAP_NET_RAW
CAP_SETGID
CAP_SETUID
CAP_SETFCAP
CAP_SETPCAP
CAP_NET_BIND_SERVICE
CAP_SYS_CHROOT
CAP_KILL
CAP_AUDIT_WRITE
Describe the results you expected:
We would like to be able to set the default capabilities. (For reference, the policy we are considering to only have CAP_NET_BIND_SERVICE, CAP_KILL, CAP_AUDIT_WRITE on by default.)
Additional information you deem important (e.g. issue happens only occasionally):
I am more than happy to implement this change. I opened the ticket first as requested by the contributing guidelines.
Output of docker version:
[zach@localhost boot]$ sudo docker version
Client:
Version: 1.13.1
API version: 1.26
Package version: docker-1.13.1-94.gitb2f74b2.el7.centos.x86_64
Go version: go1.10.3
Git commit: b2f74b2/1.13.1
Built: Tue Mar 12 10:27:24 2019
OS/Arch: linux/amd64
Server:
Version: 1.13.1
API version: 1.26 (minimum version 1.12)
Package version: docker-1.13.1-94.gitb2f74b2.el7.centos.x86_64
Go version: go1.10.3
Git commit: b2f74b2/1.13.1
Built: Tue Mar 12 10:27:24 2019
OS/Arch: linux/amd64
Experimental: false
Output of docker info:
[zach@localhost boot]$ sudo docker info
[sudo] password for zach:
Containers: 0
Running: 0
Paused: 0
Stopped: 0
Images: 0
Server Version: 1.13.1
Storage Driver: overlay2
Backing Filesystem: xfs
Supports d_type: true
Native Overlay Diff: true
Logging Driver: journald
Cgroup Driver: systemd
Plugins:
Volume: local
Network: bridge host macvlan null overlay
Swarm: inactive
Runtimes: docker-runc runc
Default Runtime: docker-runc
Init Binary: /usr/libexec/docker/docker-init-current
containerd version: (expected: aa8187dbd3b7ad67d8e5e3a15115d3eef43a7ed1)
runc version: df5c38a9167e87f53a9894d77c0950e178a745e7 (expected: 9df8b306d01f59d3a8029be411de015b7304dd8f)
init version: fec3683b971d9c3ef73f284f176672c44b448662 (expected: 949e6facb77383876aeff8a6944dde66b3089574)
Security Options:
seccomp
WARNING: You're not using the default seccomp profile
Profile: /etc/docker/seccomp.json
selinux
Kernel Version: 3.10.0-957.10.1.el7.x86_64
Operating System: CentOS Linux 7 (Core)
OSType: linux
Architecture: x86_64
Number of Docker Hooks: 3
CPUs: 2
Total Memory: 5.669 GiB
Name: localhost.localdomain
ID: WAN2:YHAU:G4C7:V4WM:ZOMC:6MRE:GCXG:7JGR:LOZ3:UQ2F:RNHG:WTYE
Docker Root Dir: /var/lib/docker
Debug Mode (client): false
Debug Mode (server): false
Registry: https://index.docker.io/v1/
Experimental: false
Insecure Registries:
127.0.0.0/8
Live Restore Enabled: false
Registries: docker.io (secure)
Additional environment details (AWS, VirtualBox, physical, etc.):