portainer/app/docker/models/containerCapabilities.js

var capDesc = {
    'SETPCAP': 'Modify process capabilities.',
    'MKNOD': 'Create special files using mknod(2).',
    'AUDIT_WRITE': 'Write records to kernel auditing log.',
    'CHOWN': 'Make arbitrary changes to file UIDs and GIDs (see chown(2)).',
    'NET_RAW': 'Use RAW and PACKET sockets.',
    'DAC_OVERRIDE': 'Bypass file read, write, and execute permission checks.',
    'FOWNER': 'Bypass permission checks on operations that normally require the file system UID of the process to match the UID of the file.',
    'FSETID': 'Don’t clear set-user-ID and set-group-ID permission bits when a file is modified.',
    'KILL': 'Bypass permission checks for sending signals.',
    'SETGID': 'Make arbitrary manipulations of process GIDs and supplementary GID list.',
    'SETUID': 'Make arbitrary manipulations of process UIDs.',
    'NET_BIND_SERVICE': 'Bind a socket to internet domain privileged ports (port numbers less than 1024).',
    'SYS_CHROOT': 'Use chroot(2), change root directory.',
    'SETFCAP': 'Set file capabilities.',
    'SYS_MODULE': 'Load and unload kernel modules.',
    'SYS_RAWIO': 'Perform I/O port operations (iopl(2) and ioperm(2)).',
    'SYS_PACCT': 'Use acct(2), switch process accounting on or off.',
    'SYS_ADMIN': 'Perform a range of system administration operations.',
    'SYS_NICE': 'Raise process nice value (nice(2), setpriority(2)) and change the nice value for arbitrary processes.',
    'SYS_RESOURCE': 'Override resource Limits.',
    'SYS_TIME': 'Set system clock (settimeofday(2), stime(2), adjtimex(2)); set real-time (hardware) clock.',
    'SYS_TTY_CONFIG': 'Use vhangup(2); employ various privileged ioctl(2) operations on virtual terminals.',
    'AUDIT_CONTROL': 'Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules.',
    'MAC_ADMIN': 'Allow MAC configuration or state changes. Implemented for the Smack LSM.',
    'MAC_OVERRIDE': 'Override Mandatory Access Control (MAC). Implemented for the Smack Linux Security Module (LSM).',
    'NET_ADMIN': 'Perform various network-related operations.',
    'SYSLOG': 'Perform privileged syslog(2) operations.',
    'DAC_READ_SEARCH': 'Bypass file read permission checks and directory read and execute permission checks.',
    'LINUX_IMMUTABLE': 'Set the FS_APPEND_FL and FS_IMMUTABLE_FL i-node flags.',
    'NET_BROADCAST': 'Make socket broadcasts, and listen to multicasts.',
    'IPC_LOCK': 'Lock memory (mlock(2), mlockall(2), mmap(2), shmctl(2)).',
    'IPC_OWNER': 'Bypass permission checks for operations on System V IPC objects.',
    'SYS_PTRACE': 'Trace arbitrary processes using ptrace(2).',
    'SYS_BOOT': 'Use reboot(2) and kexec_load(2), reboot and load a new kernel for later execution.',
    'LEASE': 'Establish leases on arbitrary files (see fcntl(2)).',
    'WAKE_ALARM': 'Trigger something that will wake up the system.',
    'BLOCK_SUSPEND': 'Employ features that can block system suspend.'
};

export function ContainerCapabilities() {
    // all capabilities can be found at https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
    return [
        new ContainerCapability('SETPCAP', true),
        new ContainerCapability('MKNOD', true),
        new ContainerCapability('AUDIT_WRITE', true),
        new ContainerCapability('CHOWN', true),
        new ContainerCapability('NET_RAW', true),
        new ContainerCapability('DAC_OVERRIDE', true),
        new ContainerCapability('FOWNER', true),
        new ContainerCapability('FSETID', true),
        new ContainerCapability('KILL', true),
        new ContainerCapability('SETGID', true),
        new ContainerCapability('SETUID', true),
        new ContainerCapability('NET_BIND_SERVICE', true),
        new ContainerCapability('SYS_CHROOT', true),
        new ContainerCapability('SETFCAP', true),
        new ContainerCapability('SYS_MODULE', false),
        new ContainerCapability('SYS_RAWIO', false),
        new ContainerCapability('SYS_PACCT', false),
        new ContainerCapability('SYS_ADMIN', false),
        new ContainerCapability('SYS_NICE', false),
        new ContainerCapability('SYS_RESOURCE', false),
        new ContainerCapability('SYS_TIME', false),
        new ContainerCapability('SYS_TTY_CONFIG', false),
        new ContainerCapability('AUDIT_CONTROL', false),
        new ContainerCapability('MAC_ADMIN', false),
        new ContainerCapability('MAC_OVERRIDE', false),
        new ContainerCapability('NET_ADMIN', false),
        new ContainerCapability('SYSLOG', false),
        new ContainerCapability('DAC_READ_SEARCH', false),
        new ContainerCapability('LINUX_IMMUTABLE', false),
        new ContainerCapability('NET_BROADCAST', false),
        new ContainerCapability('IPC_LOCK', false),
        new ContainerCapability('IPC_OWNER', false),
        new ContainerCapability('SYS_PTRACE', false),
        new ContainerCapability('SYS_BOOT', false),
        new ContainerCapability('LEASE', false),
        new ContainerCapability('WAKE_ALARM', false),
        new ContainerCapability('BLOCK_SUSPEND', false)
    ].sort(function (a, b) {
        return a.capability < b.capability ? -1 : 1;
    });
}

export function ContainerCapability(cap, allowed) {
    this.capability = cap;
    this.allowed = allowed;
    this.description = capDesc[cap];
}