docs
docs copied to clipboard
docker.md: drop caps and set nonewpriv flag
This commit adds the --security-opt no-new-privileges:true --cap-drop=ALL
flags to the docker run
invocations so that the container runs with lower privileges and cannot gain more of them via suid binaries.
See also:
- https://man7.org/linux/man-pages/man7/capabilities.7.html
- https://www.kernel.org/doc/html/latest/userspace-api/no_new_privs.html