docs: Capabilities page - Images can store file-based capabilities

[polarathene]

https://dockerlabs.collabnix.com/advanced/security/capabilities/

dockerlabs/advanced/security/capabilities/README.md

Line 37 in 962fab8

Docker imposes certain limitations that make working with capabilities much simpler. For example, file capabilities are stored within a file's extended attributes, and extended attributes are stripped out when Docker images are built. This means you will not normally have to concern yourself too much with file capabilities in containers.

dockerlabs/advanced/security/capabilities/README.md

Line 281 in 962fab8

Docker images cannot have files with capability bits set. This reduces the risk of Docker containers using capabilities to escalate privileges. However, it is possible to mount volumes that contain files with capability bits set into containers. Therefore you should use caution if doing this.

These are inaccurate. The limitation was removed with BuildKit / buildx IIRC which has been the default image builder since Docker 23 (released Feb 2023), which can preserve extended file attributes.

I believe the main issue prior was that you'd lose the extended attributes via a COPY but they would otherwise remain intact so long as the image layer was on a file system that supported the file attributes? (I recall an issue with AUFS, which may still be problematic for some NAS systems)

[collabnix]

@polarathene Thanks for reporting this. Would you like to raise PR and get it fixed.

[polarathene]

@polarathene Thanks for reporting this.

You're welcome :)

Would you like to raise PR and get it fixed.

No thank you, large backlog to work through for a while 😅 Just came across the article at the time and thought I'd raise awareness that it was outdated information.