Virtuozzo 7 User’s Guide
9.2.1. Available Capabilities for Containers

setpcap

Transfer any capability in your permitted set to any process ID; remove any capability in your permitted set from any process ID.

off

linux_immutable

Allows the modification of the S_IMMUTABLE and S_APPEND file attributes. These attributes are implemented only for the EXT2FS and EXT3FS Linux file systems. However, if you bind mount a directory located on the EXT2FS or EXT3FS file system into a container and revoke this capability, the root user inside the container will not be able to delete or truncate files with these attributes on.

on

net_bind_service

Allows to bind to sockets with numbers below 1024.

on

net_broadcast

Allows network broadcasting and multicast access.

on

net_admin

Allows the administration of IP firewalls and accounting.

off

net_raw

Allows to use the RAW and PACKET sockets.

on

ipc_lock

Allows to lock shared memory segments and mlock/mlockall calls.

on

ipc_owner

Overrides IPC ownership checks.

on

sys_module

Insert and remove kernel modules. Be very careful with setting this capability on for a container; if a user has the permission of inserting kernel modules, this user has essentially full control over the hardware node.

off

sys_chroot

Allows to use chroot().

on

sys_ptrace

Allows to trace any process.

on

sys_pacct

Allows to configure process accounting.

on

sys_admin

In charge of many system administrator tasks such as swapping, administering APM BIOS, and so on. Shall be set to off for containers.

off

sys_boot

This capability currently has no effect on the container behaviour.

on

sys_nice

Allows to raise priority and to set priority for other processes.

on

sys_resource

Override resource limits (not to be confused with user beancounters).

on

sys_time

Allows to change the system time.

off

sys_tty_config

Allows to configure TTY devices.

on

mknod

Allows the privileged aspects of mknod().

on

lease

Allows to take leases of files.

on