# rkt --insecure-options=image run docker://debian:stretch-slim --dns 8.8.8.8 --interactive --exec=/bin/bash
# apt update && apt install -y strace libcap2-bin
# rkt enter ...
# strace /bin/ls
(strace output)
# capsh --print
Current: = cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_linux_immutable,cap_net_bind_service,cap_net_broadcast,cap_net_admin,cap_net_raw,cap_ipc_lock,cap_ipc_owner,cap_sys_module,cap_sys_rawio,cap_sys_chroot,cap_sys_ptrace,cap_sys_pacct,cap_sys_admin,cap_sys_boot,cap_sys_nice,cap_sys_resource,cap_sys_time,cap_sys_tty_config,cap_mknod,cap_lease,cap_audit_write,cap_audit_control,cap_setfcap,cap_mac_override,cap_mac_admin,cap_syslog,cap_wake_alarm,cap_block_suspend,cap_audit_read+ep
...
# rkt --insecure-options=image run registry-1.docker.io/library/debian:stretch-slim --dns 8.8.8.8 --interactive --exec=/bin/bash --caps-retain=cap_chown,cap_dac_override,cap_dac_read_search,...
# apt update && apt install -y strace libcap2-bin
# strace /bin/ls
Bad system call (core dumped)
# rkt --insecure-options=image run docker://debian:stretch-slim --dns 8.8.8.8 --interactive --exec=/bin/bash --seccomp mode=retain,@appc.io/all
# apt update && apt install -y strace libcap2-bin
# capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+ep
# strace /bin/ls
(strace output)
capabilities(7) and seccomp(2) are orthogonal technologies.