May 22, 2021 Docker From entry to practice
Capability is a powerful feature of the Linux kernel that provides fine-grained access control. The Linux kernel has supported the capability mechanism since version 2.2, dividing permissions into more granular operational capabilities that can work on both processes and files.
For example, a Web service process only needs permission to bind a port below 1024, and does not require root permissions. T
hen it only needs to
net_bind_service
ability.
In addition, there are many other similar capabilities to prevent processes from getting root permissions.
By default, Docker-initiated containers are severely restricted to using only a portion of the kernel's capabilities.
Using capability mechanisms has many benefits for enhancing the security of Docker containers. T ypically, a bunch of processes that require privileged permissions run on the server, including ssh, cron, syslogd, hardware management tool modules (such as load modules), network configuration tools, and so on. Containers are different from these processes because almost all privileged processes are managed by support systems other than containers.
As you can see from the example above, in most cases, containers do not require "real" root permissions, containers require only a few capabilities. To enhance security, containers can disable unnecessary permissions.
In this way, even if an attacker obtains root permissions in the container, he or she will not be able to obtain higher permissions from the local host and will be able to do limited damage.
By default, Docker uses the whitelisting mechanism to disable permissions other than the required functionality. Of course, users can also enable additional permissions for Docker containers based on their needs.