References:
Docker Containers Can Do Too Much
Your containers can do too much. Look at all the capabilities a Docker container gets by default:
- SYS_ADMIN
- NET_ADMIN
- NET_RAW
- FOWNER
- SETGID
- SETUID
- CHOWN
- AUDIT_CONTROL
- AUDIT_READ
- AUDIT_WRITE
- BLOCK_SUSPEND
- BPF
- CHECKPOINT_RESTORE
- DAC_READ_SEARCH
- DAC_OVERRIDE
- FSETID
- IPC_LOCK
- KILL
- LEASE
- LINUX_IMMUTABLE
- MAC_ADMIN
- MAC_OVERRIDE
- MKNOD
- NET_ADMIN
- NET_BIND_SERVICE
- NET_BROADCAST
- PERFMON
- SETFCAP
- SETPCAP
- SYS_BOOT
- SYS_CHROOT
- SYS_NICE
- SYS_PACCT
- SYS_PTRACE
- SYS_RAWIO
- SYS_RESOURCE
- SYS_TIME
- SYS_TTY_CONFIG
- SYSLOG
- WAKE_ALARM
This should clearly be limited. Containers share functions of the host kernel, it’s how they cut down on overhead. Giving unecessary permissions violates the security principle of least privilege. So, how go about it?
Short answer: wing it.
Long answer: you’re going to have to troubleshoot which permissions make your container work. Here’s what has worked for me:
Drop All
Removes all kernel capabilities:
cap_drop:
- ALL
- A Python based Discord bot
- Cloudflare tunnel container
- Dockhand
- Hawser
AdGuardHome
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- CHOWN
- NET_BIND_SERVICE
- SYS_CHROOT
CraftyController
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- CHOWN
IT-Tools
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
Nginx Container + Database
cap_drop:
- ALL
cap_add:
- SETGID
- SETUID
- CHOWN
- DAC_OVERRIDE
Nginx Container
cap_drop:
- ALL
cap_add:
- CHOWN
- SETGID
- SETUID
Tor
cap_drop:
- ALL
cap_add:
- NET_BIND_SERVICE
Uptime Kuma
cap_drop:
- ALL
cap_add:
- SYS_ADMIN
- NET_ADMIN
- NET_RAW
- FOWNER
- SETGID
- SETUID
- CHOWN