If you want to use the add-and-drop capability feature, you will need to know how to use it. Here are some common use case examples:
- To drop capabilities, run a command similar to the following:
$ docker container run --cap-drop <CAPABILITY> <image> <command>
- Similarly, to add capabilities, run a command similar to the following:
$ docker container run --cap-add <CAPABILITY> <image> <command>
- To remove setuid and setgid capabilities from the container so that it cannot run binaries, which have these bits set, run the following command:
$ docker container run -it --cap-drop setuid --cap-drop setgid alpine ash
- To add all the capabilities and just drop sys_admin, run the following command:
$ docker container run -it --cap-add all --cap-drop sys_admin alpine ash