Customizing Linux kernel capabilities
Capabilities are features that were introduced in Linux kernel 2.2 with the purpose of splitting elevated privileges into single units that can be arbitrarily assigned to a process or thread.
Instead of running a process as a fully privileged instance with effective UID 0, we can assign a limited subset of specific capabilities to an unprivileged process. By providing more granular control over the security context of the process's execution, this approach helps mitigate potential attack tactics.
Before we discuss the capabilities of containers, let's recap on how they work in a Linux system so that we understand their inner logic.
Capabilities quickstart guide
Capabilities are associated with the file executables using extended attributes (see man xattr) and are automatically inherited by the process that's executed with an execve() system call.
The list of available capabilities is quite large and still growing...
