CAP_CHOWN 可利用性研究
tags: container, capability, cap_chown
CAP_CHOWN 可利用性研究
1. 容器支持情况
docker 默认支持 CAP_CHOWN
https://github.com/moby/moby/blob/791549508a3ed3b95d00556d53940b24a54d901a/oci/caps/defaults.go#L6
package caps // import "github.com/docker/docker/oci/caps"
// DefaultCapabilities returns a Linux kernel default capabilities
func DefaultCapabilities() []string {
return []string{
"CAP_CHOWN",
...
}
}
seccomp 默认允许相关系统调用。
{
...
"syscalls": [
...
{
"names": [
...
"chown",
"chown32",
...
"fchown",
"fchown32",
"fchownat",
...
"lchown",
"lchown32",
...
],
"action": "SCMP_ACT_ALLOW"
},
...
]
}
2. kernel
源码分析
https://ssst0n3.github.io/source/#/static/source/kernel-cap_chown.json