Containerization is a booming technology. As many as seventy-five percent of global organizations could be running some type of containerization technology in the near future. Since widely used technologies are more likely to be targeted by hackers securing containers is especially important. This article will demonstrate how POSIX capabilities are used to secure Podman containers. Podman is the default container management tool in RHEL8.
Containers run in either privileged or unprivileged mode. In privileged mode the container uid 0 is mapped to the host8217s uid 0. For some use cases unprivileged containers lack sufficient access to the resources of the host machine. Technologies and techniques including Mandatory Access Control apparmor SELinux seccomp filters dropping of capabilities and namespaces help to secure containers regardless of their mode of operation.
To determine the privilege mode from outside the container.
If the above command returns true then the container is running in privileged mode. If it returns false then the container is running in unprivileged mode.