Since LXD 3.0 no capabilities are dropped for unprivileged containers by default.
This was changed in commit
container_lxc: keep full capability set
Unprivileged container don’t need to drop any capabilities. The kernel will
enforce security for us.
I guess that it’s not “needed to drop any capabilities” in unprivileged containers because the unprivileged user running the container don’t actually have any capabilities on the host. Am I right?
My issue with this is that
CAP_SYS_TIME is present in these containers and all the applications in it, telling them that they actually have the capability to modify time on this system - which is never true for a unprivileged container (until timens gets into the kernel, I guess?).
In my case this raises issues in an ansible role that base it’s decision on install/not install ntp-services to this capability. In my regard the capabilities should be the source of truth for this kind of decisions.
If I can’t trust the
CAP_SYS_TIME in this aspect, what else can I use for decisions like this?