I want to run a container in un-privileged mode.This is in attempt to keep it more secure and for better control.I recorded few system calls from my container . Below are the syscalls:
recvfrom
mmap
write
read
fstat
recvmsg
mprotect
munmap
socket
fcntl
io_submit
io_getevents
select
epoll_ctl
lseek
sendmsg
ioctl
stat
sendto
sched_yield
sysdigevent
rt_sigaction
How do I map above syscalls to capabilities? I want to add those capabilities while running my container
Apart from sysdigevent, which I can't identify, the rest look like basic system calls. Unless you are operating on privileged sockets, raw block devices or anything else inherently privileged, you shouldn't need any capabilites.
You can scan man pages for mentions of CAP_, which won't of course be conclusive.
LIST="epoll_ctl fcntl fstat io_getevents io_submit ioctl lseek mmap mprotect munmap read recvfrom recvmsg rt_sigaction sched_yield select sendmsg sendto socket stat sysdigevent write"
$ for S in $LIST ; do \
echo "syscall: $S" ; \
man $S 2>/dev/null | grep "CAP_[A-Z]" | tr -s ' ' ; \
done | grep -B 1 CAP
gives
syscall: epoll_ctl
If EPOLLONESHOT and EPOLLET are clear and the process has the CAP_BLOCK_SUSPEND capability, ensure that the system does not enter "suspend" or
If EPOLLWAKEUP is specified in flags, but the caller does not have the CAP_BLOCK_SUSPEND capability, then the EPOLLWAKEUP flag is silently ignored.
of the EPOLLWAKEUP with a check that caused the call to fail if the caller did not have the CAP_BLOCK_SUSPEND capability caused a breakage in at least
it has the CAP_BLOCK_SUSPEND capability if attempting to use the EPOLLWAKEUP flag.
syscall: fcntl
of the process. A process with the CAP_LEASE capability may take out leases on arbitrary files.
/proc/sys/fs/pipe-max-size yield the error EPERM; a privileged process (CAP_SYS_RESOURCE) can override the limit.
syscall: io_submit
EPERM The aio_reqprio field is set with the class IOPRIO_CLASS_RT, but the submitting context does not have the CAP_SYS_ADMIN capability.
