How to setup per process capability in LXC container?

Hello, I am trying to run an unprivileged LXC container application which needs CAP_NET_ADMIN capability. However, only one process in the container needs that capability.
When I configure lxc.cap.keep = CAP_NET_ADMIN; all the processes running inside the container application gets CAP_NET_ADMIN capability. For testing purpose, when I executed “sleep” from container shell, that new process also got CAP_NET_ADMIN capability.
Is there anyway, I can assign CAP_NET_ADMIN to only one process in the LXC container, and 0 capabilities to any other processes in the container?


There’s no extra container magic there, so you’d need to do it the same way you would on a normal machine. You can effectively do that by having the init system or similar privileged parent process in the container drop the capability for the processes they fork except for the one you care about.

Note that if you have processes that retain cap_sys_admin, dropping cap_net_admin won’t do you all that much good as there are ways to regain capabilities when given that kind of wide privileges.