How to identify what capabilities are required for a command?

Question

When I run a command within a docker container, I see:

# ip netns exec 9ee961d90990 ifconfig
setting the network namespace "9ee961d90990" failed: Operation not permitted

I can launch my container with expanded capabilities directly (I have added the net_admin one) but is there any way to check what system capability is required in order to run this command?

It is possible to start the container with --privileged to do this and trample over everything security related associated with docker but I'd rather avoid doing this if at all possible. Doing this does allow the above command to succeed.

TheDiveO · Answer 1 · 2022-11-24T12:03:02.367

5

According to the setns(2) man page you'll need CAP_SYS_ADMIN in order to join the target network namespace. But you may probably need additional capabilities because setns() is used with a file descriptor to /run/netns/.... You don't tell how you've created this network namespace, so I assume it has been created through ip netns add ..., so it's a bind-mounted network namespace pointing into nsfs (namespace filesystem) anyway.

Since /run/netns/... is usually root-territory, you probably need CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH too, see also capabilities(7) man page. Maybe, also CAP_SYS_PTRACE, because access to many /proc inodes is further restricted by the ptrace capability.

edited Nov 24 '22 at 12:03

answered Jun 26 '18 at 18:18

TheDiveO

1,317
1
11
26

1

CAP_SYS_ADMIN you meant! – socketpair Nov 23 '22 at 20:01
1

Correct, thank you very much for spotting and reporting this! I've corrected it. – TheDiveO Nov 24 '22 at 12:03

How to identify what capabilities are required for a command?

1 Answers1