To fine-tune the low-level operating system actions a container can perform, such as dropping specific kernel privileges like `NET_RAW`, what security feature is used?

The security feature used to fine-tune the low-level operating system actions a container can perform, such as dropping specific kernel privileges like `NET_RAW`, is Linux Capabilities. Linux Capabilities are a security mechanism that breaks down the traditional `root` superuser privilege into distinct, granular units. Instead of granting a process all-or-nothing root access, specific capabilities can be assigned, allowing a process to perform only the necessary privileged operations without having full, unrestricted `root` power. This significantly reduces the attack surface. In the context of containers, container runtimes leverage Linux Capabilities as a fundamental security boundary. Containers are typically started with a default set of capabilities that is already a reduced subset of all available capabilities, meaning a process running as `root` inside a container does not have all the privileges of `root` on the host system. To further fine-tune a container's permissions, users can explicitly `drop` (remove) or `add` (grant) specific capabilities at container creation time. For example, dropping the `NET_RAW` capability prevents a container from creating raw sockets, which are used for direct manipulation of network packets, potentially enabling activities like packet sniffing or IP spoofing. By removing `NET_RAW`, even a process running as root within the container cannot perform these low-level network actions, thereby enhancing security by enforcing the principle of least privilege.