4:49 a.m.
I ended up using `strace --failed` to find out that iptables
needs CAP_NET_RAW:
podman run --rm -it --cap-add NET_ADMIN,SYS_PTRACE --uidmap 0:60000:1000 --gidmap
0:60000:1000 alpine:3.12 \
sh -c 'apk add iptables strace ; strace --failed iptables -t raw -A PREROUTING -j
DROP'
This gives:
socket(AF_INET, SOCK_RAW, IPPROTO_RAW) = -1 EPERM (Operation not permitted)
BPF was another avenue I tried but it wasn't as fruitful as good
old strace; bcc-tools includes a tool `capable` which traces all
capability checks, but doesn't (yet) show the outcome of the
check, also bpftrace has an example called `capable.bt` that does
the same thing using bpftrace. I'm pretty sure that this is the
way to go but it's something of a learning curve for me at least.
Links:
https://github.com/iovisor/bcc/blob/master/tools/capable.py
https://github.com/iovisor/bpftrace/blob/master/tools/capable.bt
Greetings,
Joost Molenaar
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Thursday, January 7, 2021 9:43 AM, Valentin Rothberg <rothberg(a)redhat.com>
wrote:
Hi Jorge,
Thanks for reaching out!
There is a cool tool that can do that:
https://github.com/clustership/inspektor-gadget/
Note that inspektor gadget is designed to run in Kubernetes, so it may not
be as straight forward as running a Podman command. We have another tool to easily
generate custom seccomp profiles (https://github.com/containers/oci-seccomp-bpf-hook) and
have ideas to extend it to also cover capabilities, but we haven't found time to
tackle that yet.
Kind regards,
Valentin
On Wed, Jan 6, 2021 at 9:56 PM Jorge Fábregas <jorge.fabregas(a)gmail.com> wrote:
> Hi,
>
> Is there an easy way to figure out which capabilities are needed for a
> container other than playing out with the cap-drop & cap-add options?
>
> Thanks.
>
> --
> Jorge
> _______________________________________________
> Podman mailing list -- podman(a)lists.podman.io
> To unsubscribe send an email to podman-leave(a)lists.podman.io