spec/ace.md: define the default capability set #600
Conversation
|
|
||
| * Scope: app | ||
|
|
||
| **Parameters:** | ||
|
|
||
| * **set** list of capabilities that will be removed from the process's capabilities bounding set, all others will be included. | ||
| * **set** list of capabilities that will be added in the process's capabilities bounding set in addition to the default app capabilities defined thereafter. |
There was a problem hiding this comment.
What you're describing sounds like "add-set", but this is "retain-set". I would expect "retain-set" to reference a final set of capabilities that the process should have, no?
There was a problem hiding this comment.
I'm not sure to understand the difference.
If it is the final set of capabilities, what is the remove set below for?
There was a problem hiding this comment.
Well, I'd been considering them mutually exclusive. Either you use the retain-set in which case you're specifying exactly which capabilities you want, or you specify nothing in which case you get the default set, or you specify remove-set in which case you get the default set minus remove-set.
There was a problem hiding this comment.
"retain" sounds much like, "ensure these capabilities are present", but below the remove-set booleans from this list. Sounds a little confusing.
There was a problem hiding this comment.
@jonboulle ohh... that's not what has been implemented. It's possible to change this but I wonder if previous images with a retain-set of cap_net_admin would expect other caps as well but would not get them anymore.
Docker also has --cap-add and --cap-drop that can be used together:
https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
By default, Docker has a default list of capabilities that are kept.
The default list for Docker is defined there:
https://github.com/docker/docker/blob/master/oci/defaults_linux.go#L64-L79
/cc @s-urbaniak
There was a problem hiding this comment.
While it is possible for earlier versions of application images may be looking for additional capabilities, my understanding of the retain set from the specification was that it allowed the developer to create a whitelist of capabilities their application should have access to.
Additionally, once the remove set is implemented in rkt it will be possible to have a smaller set of capabilities but it is far easier in cases where a small number of capabilities are required to say:
I need CAP_KILL, and CAP_CHOWN only, rather than specifying the 12 or so capabilities that they do not need from the default capability list.
There was a problem hiding this comment.
ok, I will update this PR following your semantics.
|
Patch updated, PTAL. |
|
LGTM |
Fixes #598
/cc @iaguis @jonboulle