11.2.2.2 Capability Dropping

Capability dropping removes specific Linux capabilities from a container's granted set, most commonly by dropping every capability and then explicitly adding back only what's genuinely needed, providing precise control over a container's actual privilege footprint.

Dropping All Capabilities as a Starting Point

The most thorough approach drops every capability, establishing a minimal baseline before adding back anything specifically required.

docker run --cap-drop=ALL myapp:1.0

A container started this way has none of Docker's default capabilities, only whatever might be explicitly added back afterward.

Adding Back Only What's Genuinely Needed

Specific capabilities are added back individually, based on what the application actually requires to function correctly.

docker run --cap-drop=ALL --cap-add=NET_BIND_SERVICE myapp:1.0

This combination starts from a fully restricted baseline and grants back exactly one specific capability, rather than relying on Docker's broader default set.

Identifying Required Capabilities Through Testing

Determining exactly which capabilities an application needs typically involves iterative testing — starting fully restricted, then adding capabilities one at a time as specific failures reveal an actual need.

docker run --rm --cap-drop=ALL myapp:1.0

Error: permission denied binding to port 80

A failure like this reveals that NET_BIND_SERVICE is specifically needed, informing the next iteration's configuration.

Applying This Pattern Within Compose

The same capability dropping and adding pattern is expressible within a Compose service definition.

services:
  api:
    cap_drop:
      - ALL
    cap_add:
      - NET_BIND_SERVICE

Why Capability Dropping Matters

Dropping all capabilities by default and explicitly adding back only what's genuinely required is one of the most effective, precise ways to minimize a container's actual privilege footprint, going meaningfully further than simply accepting Docker's broader default capability set.