You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
State when the runtime should and must not apply Linux ambient capabilities
Ambient capabilities are a feature, since Linux 4.3, that enables capabilities
to be set on non root proesses directly. They are the only way to set these,
so are desirable in the case of "no new privileges" where suid binaries or
filesystem capabilities cannot be used as tis flag denies these operations,
and therefore there is no other way to apply capabilities to non root processes.
Without "no new privileges" users generally expect suid binaries or
filesystem capabilities to be the way to grant capabilities to non
root processes.
See opencontainers/runc#1286 for the `runc` pull
and detailed explanation of the security issues in offering a choice here.
Signed-off-by: Justin Cormack <[email protected]>
Copy file name to clipboardExpand all lines: config.md
+3Lines changed: 3 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -133,6 +133,9 @@ For Linux-based systems the process structure supports the following process spe
133
133
134
134
***`capabilities`** (array of strings, OPTIONAL) capabilities is an array that specifies Linux capabilities that can be provided to the process inside the container.
135
135
Valid values are the strings for capabilities defined in [the man page](http://man7.org/linux/man-pages/man7/capabilities.7.html).
136
+
137
+
If the `noNewPrivileges` flag is set the runtime SHOULD try to apply Linux ambient capabilities. If this flag is not set it MUST NOT apply ambient capabilities.
138
+
136
139
***`rlimits`** (array of objects, OPTIONAL) allows setting resource limits for a process inside the container.
0 commit comments