github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/tools/hack/demo2023/capabilities.yaml (about) 1 apiVersion: v1 2 kind: Pod 3 metadata: 4 name: security-context-capabilities 5 spec: 6 containers: 7 - name: example 8 image: gcr.io/google-samples/node-hello:1.0 9 securityContext: 10 capabilities: 11 drop: 12 - all 13 add: 14 - "CHOWN" # Allows changing file ownership and group ownership. 15 - "DAC_OVERRIDE" # Overrides all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE. 16 - "DAC_READ_SEARCH" # Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined. 17 - "FOWNER" # Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable. 18 - "FSETID" # Overrides the following restrictions: 19 # The effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file; 20 # The effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file; 21 # The S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented). 22 - "KILL" # Allows killing any process. 23 - "SETGID" # Allows setgid(2) manipulation and setgroups(2). 24 - "SETUID" # Allows setuid(2) manipulation. 25 - "SETPCAP" # Allows transfer and removal of capabilities to any process. 26 - "LINUX_IMMUTABLE" # Allows modification of S_IMMUTABLE and S_APPEND file attributes. 27 - "NET_BIND_SERVICE" # Allows binding to TCP/UDP sockets below 1024 and ATM VCIs below 32. 28 - "NET_BROADCAST" # Allows broadcasting and listening to multicast. 29 - "NET_ADMIN" # Allows managing network devices and configuring network interfaces. 30 - "NET_RAW" # Allows use of RAW sockets. 31 - "IPC_LOCK" # Allows locking of shared memory segments. 32 - "IPC_OWNER" # Overrides IPC ownership checks. 33 - "SYS_MODULE" # Allows insertion and removal of kernel modules. 34 - "SYS_RAWIO" # Allows ioperm/iopl access and sending USB messages to any device via /dev/bus/usb. 35 - "SYS_CHROOT" # Allows use of chroot(). 36 - "SYS_PTRACE" # Allows ptrace() of any process. 37 - "SYS_PACCT" # Allows configuration of process accounting. 38 - "SYS_ADMIN" # Allows a wide range of system administration tasks, such as mounting/unmounting filesystems, setting the domainname and hostname, and configuring process accounting and resource limits. 39 - "SYS_BOOT" # Allows use of reboot(). 40 - "SYS_NICE" # Allows raising priority and setting priority on other processes, setting the scheduling algorithm for other processes, and setting CPU affinity for other processes. 41 - "SYS_RESOURCE" # Allows overriding resource limits, quota limits, reserved space on ext2 filesystems, journaling mode on ext3 filesystems, size restrictions on IPC message queues, and more. 42 - "SYS_TIME" # Allows manipulation of system clock, including setting the real-time clock. 43 - "SYS_TTY_CONFIG" # Allows configuration of tty devices, including vhangup() of tty. 44 - "MKNOD" # Allows the privileged aspects of mknod(). 45 - "LEASE" # Allows taking of leases on files. 46 - "AUDIT_WRITE" # Allows writing the audit log via unicast netlink socket. 47 - "AUDIT_CONTROL" # Allows configuration of audit via unicast netlink socket. 48 - "SETFCAP" # Allows setting or removing capabilities on files and mapping uid=0 into a child user namespace. 49 - "MAC_OVERRIDE" # Allows overriding MAC access. 50 - "MAC_ADMIN" # Allows configuration or state changes of MAC policy 51 - "SYSLOG" # Allow configuring the kernel's syslog (printk behaviour) 52 - "WAKE_ALARM" # Allow triggering something that will wake the system 53 - "BLOCK_SUSPEND" # Allow preventing system suspends 54 - "AUDIT_READ" # Allow reading the audit log via multicast netlink socket 55 - "PERFMON" # Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems 56 - "BPF" # CAP_BPF allows the BPF operations 57 - "CHECKPOINT_RESTORE" # Allow checkpoint/restore related operations, Allow PID selection during clone3(), Allow writing to ns_last_pid