Brief into to Capabilities

“Root” is no longer a clear indication of… anything, really, in terms of linux power levels.

Capabilities are. And capabilities are quite a bit more complex.

Sometimes additional kernel parameters will also be relevant, but it’s relatively rare that these are impactful.

Sometimes certain virtualization systems take things so far out that they’re a completely different ballgame (e.g. gvisor has a totally different “kernel”, so nesting in there is… wild).

In terms of capabilities, the main one to take note of is CAP_SYS_ADMIN. This is the closest analog to historical “root” – it’s the capability that permits all other things, including getting more capabilities.

Executors

chroot

  • requires CAP_CHROOT
    • this is a pretty cheap one!

runc

  • not exactly sure. probably CAP_SYS_ADMIN.

gvisor

  • remarkably: none

Handling files

on the host

  • reading all files

  • creating all files except devices

  • creating all files including devices

  • assembling the tree

    • bind mounts
    • overlay mounts
    • copy fallbacks

gvisor gopher plugin