11.2.2.3 Capability Addition Caution
A focused guide to Capability Addition Caution, connecting core concepts with practical Docker and container operations.
Capability addition caution reflects that, while adding back specific capabilities after dropping all of them is a sound general pattern, each individual capability added should be deliberately considered, since some capabilities carry significantly more inherent risk than others if granted unnecessarily.
Why Not Every Capability Carries Equal Risk
Some capabilities, like NET_BIND_SERVICE, grant a narrow, specific privilege with limited broader risk, while others, like SYS_ADMIN, bundle together a wide range of powerful operations not meaningfully distinct from much of root's own broader privilege.
docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:1.0
docker run --cap-drop=ALL --cap-add=SYS_ADMIN myapp:1.0
The second command grants a capability bundling together many distinct privileged operations, meaningfully closer to broad root-level access than the first, narrowly scoped capability addition.
Researching a Capability's Actual Scope Before Adding It
Before adding a capability to satisfy a specific error, understanding exactly what that capability actually grants helps assess whether it's a reasonably scoped fix or a much broader privilege expansion than the situation actually warrants.
SYS_ADMIN includes: mount/unmount filesystems, configure namespaces,
adjust various kernel parameters, and more
Recognizing the breadth of what a capability like this actually grants should prompt reconsidering whether the underlying need can be met some other way, rather than simply adding this broad capability.
Considering Whether an Alternative Approach Avoids the Need Entirely
Sometimes an application's apparent need for a broad capability reflects an avoidable design choice rather than a genuine, unavoidable requirement — addressing the underlying cause can eliminate the need for the capability addition altogether.
EXPOSE 8080
Configuring an application to listen on an unprivileged port internally, for instance, avoids ever needing NET_BIND_SERVICE in the first place.
Why Capability Addition Caution Matters
Treating every capability addition as a deliberate decision, rather than simply adding whatever resolves an immediate error, helps avoid inadvertently granting a broad, high-risk privilege when a narrower capability or an alternative design would have sufficed.