github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/tools/hack/demo2023/capabilities.yaml

github.com/castai/kvisor@v1.7.1-0.20240516114728-b3572a2607b5/tools/hack/demo2023/capabilities.yaml (about)

     1  apiVersion: v1
     2  kind: Pod
     3  metadata:
     4    name: security-context-capabilities
     5  spec:
     6    containers:
     7      - name: example
     8        image: gcr.io/google-samples/node-hello:1.0
     9        securityContext:
    10          capabilities:
    11            drop:
    12              - all
    13            add:
    14              - "CHOWN"  # Allows changing file ownership and group ownership.
    15              - "DAC_OVERRIDE"  # Overrides all DAC access, including ACL execute access if [_POSIX_ACL] is defined. Excluding DAC access covered by CAP_LINUX_IMMUTABLE.
    16              - "DAC_READ_SEARCH"  # Overrides all DAC restrictions regarding read and search on files and directories, including ACL restrictions if [_POSIX_ACL] is defined.
    17              - "FOWNER"  # Overrides all restrictions about allowed operations on files, where file owner ID must be equal to the user ID, except where CAP_FSETID is applicable.
    18              - "FSETID"  # Overrides the following restrictions:
    19                # The effective user ID shall match the file owner ID when setting the S_ISUID and S_ISGID bits on that file;
    20              # The effective group ID (or one of the supplementary group IDs) shall match the file owner ID when setting the S_ISGID bit on that file;
    21              # The S_ISUID and S_ISGID bits are cleared on successful return from chown(2) (not implemented).
    22              - "KILL"  # Allows killing any process.
    23              - "SETGID"  # Allows setgid(2) manipulation and setgroups(2).
    24              - "SETUID"  # Allows setuid(2) manipulation.
    25              - "SETPCAP"  # Allows transfer and removal of capabilities to any process.
    26              - "LINUX_IMMUTABLE"  # Allows modification of S_IMMUTABLE and S_APPEND file attributes.
    27              - "NET_BIND_SERVICE"  # Allows binding to TCP/UDP sockets below 1024 and ATM VCIs below 32.
    28              - "NET_BROADCAST"  # Allows broadcasting and listening to multicast.
    29              - "NET_ADMIN"  # Allows managing network devices and configuring network interfaces.
    30              - "NET_RAW"  # Allows use of RAW sockets.
    31              - "IPC_LOCK"  # Allows locking of shared memory segments.
    32              - "IPC_OWNER"  # Overrides IPC ownership checks.
    33              - "SYS_MODULE"  # Allows insertion and removal of kernel modules.
    34              - "SYS_RAWIO"  # Allows ioperm/iopl access and sending USB messages to any device via /dev/bus/usb.
    35              - "SYS_CHROOT"  # Allows use of chroot().
    36              - "SYS_PTRACE"  # Allows ptrace() of any process.
    37              - "SYS_PACCT"  # Allows configuration of process accounting.
    38              - "SYS_ADMIN"  # Allows a wide range of system administration tasks, such as mounting/unmounting filesystems, setting the domainname and hostname, and configuring process accounting and resource limits.
    39              - "SYS_BOOT"  # Allows use of reboot().
    40              - "SYS_NICE"  # Allows raising priority and setting priority on other processes, setting the scheduling algorithm for other processes, and setting CPU affinity for other processes.
    41              - "SYS_RESOURCE"  # Allows overriding resource limits, quota limits, reserved space on ext2 filesystems, journaling mode on ext3 filesystems, size restrictions on IPC message queues, and more.
    42              - "SYS_TIME"  # Allows manipulation of system clock, including setting the real-time clock.
    43              - "SYS_TTY_CONFIG"  # Allows configuration of tty devices, including vhangup() of tty.
    44              - "MKNOD"  # Allows the privileged aspects of mknod().
    45              - "LEASE"  # Allows taking of leases on files.
    46              - "AUDIT_WRITE"  # Allows writing the audit log via unicast netlink socket.
    47              - "AUDIT_CONTROL"  # Allows configuration of audit via unicast netlink socket.
    48              - "SETFCAP"  # Allows setting or removing capabilities on files and mapping uid=0 into a child user namespace.
    49              - "MAC_OVERRIDE"  # Allows overriding MAC access.
    50              - "MAC_ADMIN"  # Allows configuration or state changes of MAC policy
    51              - "SYSLOG"  # Allow configuring the kernel's syslog (printk behaviour)
    52              - "WAKE_ALARM" # Allow triggering something that will wake the system
    53              - "BLOCK_SUSPEND" # Allow preventing system suspends
    54              - "AUDIT_READ" # Allow reading the audit log via multicast netlink socket
    55              - "PERFMON" # Allow system performance and observability privileged operations using perf_events, i915_perf and other kernel subsystems
    56              - "BPF" # CAP_BPF allows the BPF operations
    57              - "CHECKPOINT_RESTORE"  # Allow checkpoint/restore related operations, Allow PID selection during clone3(), Allow writing to ns_last_pid