CapMan: Detecting and Mitigating Linux Capability Abuses at Runtime to Secure Privileged Containers
摘要
Linux capabilities represent an important security feature for enabling fine-grained management of privileges. However, limitations in selectively enabling capabilities for processes and lagging adoption from application developers often lead the operators to run containers with unnecessary privileges. Although this can potentially be addressed by modifying the application, minimizing the set of enabled capabilities, assigning capabilities to executable files, or using user space utilities like Ptrace, those solutions typically require manual efforts, only provide partial protection, or incur significant overhead. In this paper, we present CapMan, a solution that secures privileged containers by detecting and mitigating potential capability abuses at runtime. Our main idea is threefold. First, CapMan examines all capability requests made by system calls to ensure full protection. Second, CapMan performs the detection directly inside the Linux kernel to ensure its efficiency. Third, CapMan mitigates capability abuses in a transparent manner without requiring any change made to the application or container. Our evaluation of CapMan using real-world CVEs and capability abuses shows that it can mitigate all the tested capability abuses (most of which are missed by a state-of-the-art solution) with negligible performance overhead.