79204777

Date: 2024-11-19 19:21:52
Score: 0.5
Natty:
Report link

This is the solution I came up with:

#!/bin/sh
#
# is_privileged.sh

set -eu

# Get the capability bounding set
cap_bnd=$(grep '^CapBnd:' /proc/$$/status | awk '{print $2}')
# Convert to decimal
cap_bnd=$(printf "%d" "0x${cap_bnd}")

# Get the last capability number
last_cap=$(cat /proc/sys/kernel/cap_last_cap)

# Calculate the maximum capability value
max_cap=$(((1 << (last_cap + 1)) - 1))

if [ "${cap_bnd}" -eq "${max_cap}" ]; then
    echo "Container is running in privileged mode." >&2
    exit 0
else
    echo "Container is not running in privileged mode." >&2
    exit 1
fi

Example:

$ cat is_privileged.sh | docker run --rm -i alpine sh -
Container is not running in privileged mode.

$ cat is_privileged.sh | docker run --rm -i alpine sh -
Container is running in privileged mode.

I believe it is better option as it doesn't actually create any ip link.

I've also made it available in my docker-scripts project.

Reasons:
  • Contains signature (1):
  • Long answer (-0.5):
  • Has code block (-0.5):
  • Low reputation (0.5):
Posted by: felipecrs