Docker labs security says that images cannot have files with capabilities set; what gives?

[thediveo]

https://github.com/docker/labs/tree/master/security/capabilities#tips says:

Docker images cannot have files with capability bits set. This reduces the risk of Docker containers using capabilities to escalate privileges.

Is the Docker labs security information outdated then, as it is in conflict with your blog post and example? Are there different filesystems used when unpacking a container image for execution, so file capabilities might get ignored?

[amouat]

I'd have to look into it to be sure, but I think your thought on file-systems is probably correct - capabilities do require file system support.

I did test the examples to death, but I should have included which Docker file system I was using.

Let me look into this a bit at something needs updated.

[amouat]

Ok, so this was pretty quick in the end.

The article you link says that capabilities are stripped by docker build (so nothing to do with the filesystem). This isn't the case for me:

$ docker build -t capblog .
...
$ docker run capblog getcap /set_ambient
/set_ambient = cap_net_bind_service+p

I do note that article is 2 years old and there has been a lot of work on docker build since (see buildx etc). I think things have just changed since it was written.

Thanks for opening the issue though - you had me worried for a minute :)

I'm going to close this as I think it's pretty clear you can have capabilities in Docker images.

[thediveo]

But shouldn't the article get updated, such as by removing the false part about images cannot have file caps?

[amouat]

Yes it should. But there is already an open issue docker/labs#469

I don't think the repo is really maintained any more.