Capabilities on executables
Note on Linux Kernel capabilities
File capabilities allow users to execute programs with higher privileges. Best example is network utility ping
.
containers, programming, golang, hacks, kubernetes, productivity, books
Note on Linux Kernel capabilities
File capabilities allow users to execute programs with higher privileges. Best example is network utility ping
.
The easiest way to prove that root inside the container is also root on the host
Here are simple steps that you can follow to prove that the root
user inside container is also root
on the host. And how to mitigate this.
No docker cp needed to copy files from host to your container
This blog shows you how you can copy stuff from your host machine to the running container without the docker cp
command that we usually use.
Understanding the seccomp profile json format
A large number of system calls are exposed to every userland process with many of them going unused for the entire lifetime of the process. A certain subset of userland applications benefit by having a reduced set of available system calls. The resulting set reduces the total kernel surface exposed to the application. System call filtering is meant for use with those applications. Seccomp filtering provides a means for a process to specify a filter for incoming system calls.