nextcloud · Fs00 · Apr 25, 2026 · Apr 25, 2026 · Apr 25, 2026 · Apr 28, 2026
diff --git a/php/containers.json b/php/containers.json
@@ -406,7 +406,7 @@
         "CHOWN"
       ],
       "cap_drop": [
-        "NET_RAW"
+        "ALL"
       ]
     },
     {

diff --git a/php/src/Container/Container.php b/php/src/Container/Container.php
@@ -27,6 +27,8 @@ public function __construct(
         public bool                          $enableNvidiaGpu,
         /** @var string[] */
         public array                         $capAdd,
+        /** @var string[] */
+        public array                         $capDrop,
         public int                           $shmSize,
         public bool                          $apparmorUnconfined,
         /** @var string[] */

diff --git a/php/src/ContainerDefinitionFetcher.php b/php/src/ContainerDefinitionFetcher.php
@@ -298,6 +298,11 @@ private function GetDefinition(): array
                 $capAdd = $entry['cap_add'];
             }
 
+            $capDrop = [];
+            if (isset($entry['cap_drop'])) {
+                $capDrop = $entry['cap_drop'];
+            }
+
             $shmSize = -1;
             if (isset($entry['shm_size'])) {
                 $shmSize = $entry['shm_size'];
@@ -360,6 +365,7 @@ private function GetDefinition(): array
                 $devices,
                 $enableNvidiaGpu,
                 $capAdd,
+                $capDrop,
                 $shmSize,
                 $apparmorUnconfined,
                 $backupVolumes,

diff --git a/php/src/Docker/DockerActionManager.php b/php/src/Docker/DockerActionManager.php
@@ -378,8 +378,11 @@ public function CreateContainer(Container $container): void {
             $requestBody['HostConfig']['CapAdd'] = $capAdds;
         }
 
-        // Disable arp spoofing
-        if (!in_array('NET_RAW', $capAdds, true)) {
+        $capDrops = $container->capDrop;
+        if (count($capDrops) > 0) {
+            $requestBody['HostConfig']['CapDrop'] = $capDrops;
+        } else if (!in_array('NET_RAW', $capAdds, true)) {
+            // Prevent ARP spoofing by default
             $requestBody['HostConfig']['CapDrop'] = ['NET_RAW'];
         }
 
@@ -440,9 +443,11 @@ public function CreateContainer(Container $container): void {
         // Special things for the collabora container which should not be exposed in the containers.json
         } elseif ($container->identifier === 'nextcloud-aio-collabora') {
             if (!$this->configurationManager->collaboraSeccompDisabled) {
-                // Load reference seccomp profile for collabora
+                // Load reference seccomp profile for collabora...
                 $seccompProfile = (string)file_get_contents(DataConst::GetCollaboraSeccompProfilePath());
                 $requestBody['HostConfig']['SecurityOpt'] = ["label:disable", "seccomp=$seccompProfile"];
+                // ...which allows the collabora container to run without any capabilities
+                $requestBody['HostConfig']['CapAdd'] = [];
             }
 
             // Additional Collabora options
-Original file line number
+Diff line change
@@ Expand Up / @@ -406,7 +406,7 @@ @@
             "CHOWN"
           ],
           "cap_drop": [
-            "NET_RAW"
+            "ALL"
           ]
         },
         {
@@ Expand Down @@