Rework default list of capabilities to minimal

For a couple of years now we have been shipping containers.conf settings
to use only 10 capabities. Docker uses 14, with the difference being
CAP_AUDIT_ALLOW, CAP_NET_RAW, CAP_MKNOD, CAP_CHROOT.

This allows us to run with a tighter security then Docker.

This PR makes the change to default config, so that if no
containers.conf overrides are present, we will run with the tighter
security. Currently most distros that ship the containers.conf already
run with this setting, but this makes it formal, and changes the man
page to match the defaults.

Signed-off-by: Daniel J Walsh <[email protected]>

Author: rhatdan

docs/containers.conf.5.md

@@ -88,22 +88,24 @@ List of default capabilities for containers.
 The default list is:
 ```
 default_capabilities = [
-"AUDIT_WRITE",
       "CHOWN",
       "DAC_OVERRIDE",
       "FOWNER",
       "FSETID",
       "KILL",
-      "MKNOD",
       "NET_BIND_SERVICE",
-      "NET_RAW",
+      "SETFCAP",
       "SETGID",
       "SETPCAP",
       "SETUID",
-      "SYS_CHROOT",
 ]
 ```
 
+Note, by default container engines using containers.conf, run with less
+capabilities then Docker. Docker runs additionally with "AUDIT_WRITE", "MKNOD",
+"NET_RAW", "CHROOT". If you need to add one of these capabilities for a
+particular container, you can use the --cap-add option.
+
 **default_sysctls**=[]
 
 A list of sysctls to be set in containers by default,

pkg/config/containers.conf

@@ -52,19 +52,18 @@
 # List of default capabilities for containers. If it is empty or commented out,
 # the default capabilities defined in the container engine will be added.
 #
-default_capabilities = [
-  "CHOWN",
-  "DAC_OVERRIDE",
-  "FOWNER",
-  "FSETID",
-  "KILL",
-  "NET_BIND_SERVICE",
-  "SETFCAP",
-  "SETGID",
-  "SETPCAP",
-  "SETUID",
-  "SYS_CHROOT"
-]
+#default_capabilities = [
+#  "CHOWN",
+#  "DAC_OVERRIDE",
+#  "FOWNER",
+#  "FSETID",
+#  "KILL",
+#  "NET_BIND_SERVICE",
+#  "SETFCAP",
+#  "SETGID",
+#  "SETPCAP",
+#  "SETUID",
+#]
 
 # A list of sysctls to be set in containers by default,
 # specified as "name=value",

pkg/config/default.go

@@ -76,20 +76,16 @@ var (
 	DefaultHooksDirs = []string{"/usr/share/containers/oci/hooks.d"}
 	// DefaultCapabilities is the default for the default_capabilities option in the containers.conf file.
 	DefaultCapabilities = []string{
-		"CAP_AUDIT_WRITE",
 		"CAP_CHOWN",
 		"CAP_DAC_OVERRIDE",
 		"CAP_FOWNER",
 		"CAP_FSETID",
 		"CAP_KILL",
-		"CAP_MKNOD",
 		"CAP_NET_BIND_SERVICE",
-		"CAP_NET_RAW",
 		"CAP_SETFCAP",
 		"CAP_SETGID",
 		"CAP_SETPCAP",
 		"CAP_SETUID",
-		"CAP_SYS_CHROOT",
 	}
 
 	// Search these locations in which CNIPlugins can be installed.