Name
|
Description
|
Default
|
setpcap
|
Transfer any capability in your permitted set to any process ID; remove any capability in your permitted set from any process ID.
|
off
|
linux_immutable
|
Allows the modification of the
S_IMMUTABLE
and
S_APPEND
file attributes. These attributes are implemented only for the EXT2FS and EXT3FS Linux file systems. However, if you bind mount a directory located on the EXT2FS or EXT3FS file system into a Container and revoke this capability, the root user inside the Container will not be able to delete or truncate files with these attributes on.
|
on
|
net_bind_service
|
Allows to bind to sockets with numbers below 1024.
|
on
|
net_broadcast
|
Allows network broadcasting and multicast access.
|
on
|
net_admin
|
Allows the administration of IP firewalls and accounting.
|
off
|
net_raw
|
Allows to use the RAW and PACKET sockets.
|
on
|
ipc_lock
|
Allows to lock shared memory segments and
mlock/mlockall
calls.
|
on
|
ipc_owner
|
Overrides IPC ownership checks.
|
on
|
sys_module
|
Insert and remove kernel modules. Be very careful with setting this capability on for a Container; if a user has the permission of inserting kernel modules, this user has essentially full control over the Hardware Node.
|
off
|
sys_chroot
|
Allows to use
chroot()
.
|
on
|
sys_ptrace
|
Allows to trace any process.
|
on
|
sys_pacct
|
Allows to configure process accounting.
|
on
|
sys_admin
|
In charge of many system administrator tasks such as swapping, administering APM BIOS, and so on. Shall be set to off for Containers.
|
off
|
sys_boot
|
This capability currently has no effect on the Container behaviour.
|
on
|
sys_nice
|
Allows to raise priority and to set priority for other processes.
|
on
|
sys_resource
|
Override resource limits (do not confuse with user beancounters).
|
on
|
sys_time
|
Allows to change the system time.
|
off
|
sys_tty_config
|
Allows to configure TTY devices.
|
on
|
mknod
|
Allows the privileged aspects of
mknod()
.
|
on
|
lease
|
Allows to take leases of files.
|
on
|