Page MenuHomeVyOS Platform
Create Task
Maniphest T5544

Allow CAP_SYS_MODULE to be set on containers
Closed, ResolvedPublicFEATURE REQUEST
Actions

Description

This is particularly useful for the tailscale container outside of user-space.

https://man7.org/linux/man-pages/man7/capabilities.7.html

Details

Difficulty level
Unknown (require assessment)
Version
-
Why the issue appeared?
Will be filled on close
Is it a breaking change?
Perfectly compatible
Issue type
Improvement (missing useful functionality)

Event Timeline

anthr76 created this task.Sep 3 2023, 4:10 PM
anthr76 added a comment.Sep 3 2023, 4:20 PM

https://github.com/vyos/vyos-1x/pull/2197

Apachez added a subscriber: Apachez.Sep 3 2023, 4:26 PM

According to https://man7.org/linux/man-pages/man7/capabilities.7.html this capability can load, unload AND delete kernel modules.

I think a security warning or such for the tabcompletion should exist for that setting.

That is whatever you now run as container might not be as isolated as you think if you enable this capability.

CuBiC3D added a subscriber: CuBiC3D.Sep 3 2023, 5:38 PM
syncer triaged this task as Low priority.Sep 3 2023, 5:44 PM
Viacheslav closed this task as Resolved.Sep 6 2023, 10:10 AM
Viacheslav claimed this task.
Viacheslav moved this task from Need Triage to Finished on the VyOS 1.4 Sagitta board.
Viacheslav added a subscriber: Viacheslav.

@

Viacheslav reassigned this task from Viacheslav to anthr76.Sep 6 2023, 10:11 AM