Guest24897
/
DockerCLI
mirror of https://github.com/docker/cli.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #2726 from thaJeztah/add_new_caps 

Add docs and bash-completion for new Linux capabilities
This commit is contained in:
Tõnis Tiigi 2020-09-17 11:45:43 -07:00 committed by GitHub
parent 3191903ca4 6065dccc98
commit ee360d3998
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 50 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
contrib/completion/bash/docker
View File

@ -837,6 +837,8 @@ __docker_complete_capabilities_addable() {
CAP_AUDIT_CONTROL CAP_AUDIT_CONTROL
CAP_AUDIT_READ CAP_AUDIT_READ
CAP_BLOCK_SUSPEND CAP_BLOCK_SUSPEND
CAP_BPF
CAP_CHECKPOINT_RESTORE
CAP_DAC_READ_SEARCH CAP_DAC_READ_SEARCH
CAP_IPC_LOCK CAP_IPC_LOCK
CAP_IPC_OWNER CAP_IPC_OWNER
@ -846,6 +848,7 @@ __docker_complete_capabilities_addable() {
CAP_MAC_OVERRIDE CAP_MAC_OVERRIDE
CAP_NET_ADMIN CAP_NET_ADMIN
CAP_NET_BROADCAST CAP_NET_BROADCAST
CAP_PERFMON
CAP_SYS_ADMIN CAP_SYS_ADMIN
CAP_SYS_BOOT CAP_SYS_BOOT
CAP_SYSLOG CAP_SYSLOG

14
docs/reference/run.md
View File

@ -1286,7 +1286,7 @@ list of capabilities that are kept. The following table lists the Linux capabili
options which are allowed by default and can be dropped. options which are allowed by default and can be dropped.
| Capability Key | Capability Description | | Capability Key | Capability Description |
|:-----------------|:------------------------------------------------------------------------------------------------------------------------------| |:----------------------|:-------------------------------------------------------------------------------------------------------------------------------|
| AUDIT_WRITE | Write records to kernel auditing log. | | AUDIT_WRITE | Write records to kernel auditing log. |
| CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). | | CHOWN | Make arbitrary changes to file UIDs and GIDs (see chown(2)). |
| DAC_OVERRIDE | Bypass file read, write, and execute permission checks. | | DAC_OVERRIDE | Bypass file read, write, and execute permission checks. |
@ -1305,10 +1305,12 @@ options which are allowed by default and can be dropped.
The next table shows the capabilities which are not granted by default and may be added. The next table shows the capabilities which are not granted by default and may be added.
| Capability Key | Capability Description | | Capability Key | Capability Description |
|:----------------|:----------------------------------------------------------------------------------------------------------------| |:----------------------|:-------------------------------------------------------------------------------------------------------------------------------|
| AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. | | AUDIT_CONTROL | Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules. |
| AUDIT_READ | Allow reading audit messages from the kernel. | | AUDIT_READ | Allow reading the audit log via multicast netlink socket. |
| BLOCK_SUSPEND | Employ features that can block system suspend. | | BLOCK_SUSPEND | Allow preventing system suspends. |
| BPF | Allow creating BPF maps, loading BPF Type Format (BTF) data, retrieve JITed code of BPF programs, and more. |
| CHECKPOINT_RESTORE | Allow checkpoint/restore related operations. Introduced in kernel 5.9. |
| DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. | | DAC_READ_SEARCH | Bypass file read permission checks and directory read and execute permission checks. |
| IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). | | IPC_LOCK | Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)). |
| IPC_OWNER | Bypass permission checks for operations on System V IPC objects. | | IPC_OWNER | Bypass permission checks for operations on System V IPC objects. |
@ -1318,6 +1320,7 @@ The next table shows the capabilities which are not granted by default and may b
| MAC_OVERRIDE | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). | | MAC_OVERRIDE | Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM). |
| NET_ADMIN | Perform various network-related operations. | | NET_ADMIN | Perform various network-related operations. |
| NET_BROADCAST | Make socket broadcasts, and listen to multicasts. | | NET_BROADCAST | Make socket broadcasts, and listen to multicasts. |
| PERFMON | Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems |
| SYS_ADMIN | Perform a range of system administration operations. | | SYS_ADMIN | Perform a range of system administration operations. |
| SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. | | SYS_BOOT | Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution. |
| SYS_MODULE | Load and unload kernel modules. | | SYS_MODULE | Load and unload kernel modules. |
@ -1331,7 +1334,8 @@ The next table shows the capabilities which are not granted by default and may b
| SYSLOG | Perform privileged syslog(2) operations. | | SYSLOG | Perform privileged syslog(2) operations. |
| WAKE_ALARM | Trigger something that will wake up the system. | | WAKE_ALARM | Trigger something that will wake up the system. |
Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html) Further reference information is available on the [capabilities(7) - Linux man page](http://man7.org/linux/man-pages/man7/capabilities.7.html),
and in the [Linux kernel source code](https://github.com/torvalds/linux/blob/124ea650d3072b005457faed69909221c2905a1f/include/uapi/linux/capability.h).
Both flags support the value `ALL`, so to allow a container to use all capabilities Both flags support the value `ALL`, so to allow a container to use all capabilities
except for `MKNOD`: except for `MKNOD`: