9

When I run a command within a docker container, I see:

# ip netns exec 9ee961d90990 ifconfig setting the network namespace "9ee961d90990" failed: Operation not permitted

I can launch my container with expanded capabilities directly (I have added the net_admin one) but is there any way to check what system capability is required in order to run this command?

It is possible to start the container with --privileged to do this and trample over everything security related associated with docker but I'd rather avoid doing this if at all possible. Doing this does allow the above command to succeed.

Improve this question

1 Answer 1

Reset to default
5

According to the setns(2) man page you'll need CAP_SYS_ADMIN in order to join the target network namespace. But you may probably need additional capabilities because setns() is used with a file descriptor to /run/netns/.... You don't tell how you've created this network namespace, so I assume it has been created through ip netns add ..., so it's a bind-mounted network namespace pointing into nsfs (namespace filesystem) anyway.

Since /run/netns/... is usually root-territory, you probably need CAP_DAC_OVERRIDE or CAP_DAC_READ_SEARCH too, see also capabilities(7) man page. Maybe, also CAP_SYS_PTRACE, because access to many /proc inodes is further restricted by the ptrace capability.

Improve this answer
2
  • 1
    CAP_SYS_ADMIN you meant! Commented Nov 23, 2022 at 20:01
  • 1
    Correct, thank you very much for spotting and reporting this! I've corrected it. Commented Nov 24, 2022 at 12:03

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.