Container Security - Capabilities

The most common security setting that we do with containers is the capability settings or dropping. The capability dropping is a technique where a privileged processes revokes a subset of the privileges it is endowed with.

Root is the most powerful user. He has access to everything and he can perform any thing on any thing. Running processes inside a container with root user is always risky. It would be better if we have a way to control the powers of the root users. This is where capabilities come into picture. The linux kernel is able to break down the privileges of the root user into units called as capabilities. For example , the CAP_CHOWN is a type of capability that allows the root user to make arbitrary changes to the files UID and GID. Another capability CAP_DAC_OVERRIDE allows the root user to bypass the kernel permissions checks on the file read, write and execute operations. Almost all powers of the root user can be broken down into individual capabilities. Breaking down the capabilities provides us to,

1. Remove individual capabilities from the root user account, making it less powerful
2. Adding these capabilities to non-root user at a very granular level

There are file based and thread based capabilities. File capabilities allows users to execute programs with higher privileges and thread based keep track of the current state of the capabilities in running programs. Capabilities can be set using 3 options

1. Run Containers as root with a large set of capabilities and try to manage capabilities within your container manually.
2. Run containers as root with limited capabilities and never change then within a container
3. Run Container as a unprivileged user with no capabilities

Most of the times option 2 is the most realistic and option 3 is ideal too. Option 1 should be avoided whenever possible.

To drop capabilities from the root account of the container we can start the container as, docker run --rm -it --cap-drop alpine sh

To add capabilities to the root account of the container, we can start the container as,docker run --rm -it --cap-add alpine sh
To drop all capabilities and then add the individual capabilities to the root account of the container , we can use docker run --rm -it --cap-drop ALL --cap-add alpine sh

The capabilities in Linux Kernel starts with “ CAP_” like CAP_CHOWN, CAP_SETUID etc but docker capabilities are not prefixed with “CAP_” instead they are defined as regular string like “chown” etc. The mapping of the docker Capabilities to the Kernel are taken care.

Lets see some examples of how capabilities work with Docker
Start a new Container and confirm that the container root account can change the ownership of the file by,
jagadishAvailable$Tue Mar 19@ docker run --rm -it alpine chown nobody /

The Command will not return any output indicating that the root account can change the ownership of the files. We did not add any capabilities but the root user has the default capability including chown or CAP_CHOWN.

Start a new container and drop all capabilities and add only chown capability and confirm that the root account in the container can change the ownership of the flies by,
jagadishAvailable$Tue Mar 19@ docker run --rm -it --cap-drop ALL --cap-add CHOWN alpine chown nobody /

This also will not return any output indicating that the container ran successfully.

Now in the last step, lets run a container with dropping the chown capability for the root account and confirm if that can change ownership of files as,
jagadishAvailable$Tue Mar 19@ docker run --rm -it --cap-drop CHOWN alpine chown nobody /
chown: /: Operation not permitted

Now this throws a error saying that the chown operation is not permitted which means the capability chown is dropped.

Pscap - We are by now aware of how to add capabilities and remove them, but we need a way to check what capabilities are currently set and what are not. Linux provides a tool call pscap available in the libcap-ng-utils package which helps you to identify what packages are available and what are not.