What capabilities are required for "ls /"

General
1

OS: circleCI machine ubuntu-1604:201903-01
Kernel: 4.15.0-1027-gcp #28~16.04.1-Ubuntu SMP
Image: archlinux:20200407

(1) $ docker --version
Docker version 18.09.3, build 774a1f4

(2) $ sudo -i docker run -d --memory 7168M --memory-swap 7168M --name arch -u 0:0 archlinux:20200407 /bin/sleep 1d
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
3d281ce849ff37d51b131eef9f012e1829cd4e7bd373d79ab696506f4eb2c339

(3) $ sudo -i docker exec -w / -i arch /bin/ls -Al /
/bin/ls: cannot access '/': Operation not permitted

(4) $ sudo -i docker exec -w / -i arch /bin/ls -Al
/bin/ls: cannot access 'home': Operation not permitted
/bin/ls: cannot access 'dev': Operation not permitted
/bin/ls: cannot access 'sys': Operation not permitted
/bin/ls: cannot access 'boot': Operation not permitted
/bin/ls: cannot access 'srv': Operation not permitted
/bin/ls: cannot access 'etc': Operation not permitted
/bin/ls: cannot access 'mnt': Operation not permitted
/bin/ls: cannot access 'usr': Operation not permitted
/bin/ls: cannot access 'var': Operation not permitted
/bin/ls: cannot access 'run': Operation not permitted
/bin/ls: cannot access 'lib64': Operation not permitted
/bin/ls: cannot access 'proc': Operation not permitted
/bin/ls: cannot access 'opt'total 0
l????????? ? ? ? ?            ? bin
d????????? ? ? ? ?            ? boot
d????????? ? ? ? ?            ? dev
-????????? ? ? ? ?            ? .dockerenv
d????????? ? ? ? ?            ? etc
d????????? ? ? ? ?            ? home
l????????? ? ? ? ?            ? lib
l????????? ? ? ? ?            ? lib64
d????????? ? ? ? ?            ? mnt
d????????? ? ? ? ?            ? opt
d????????? ? ? ? ?            ? proc
d????????? ? ? ? ?            ? root
d????????? ? ? ? ?            ? run
l????????? ? ? ? ?            ? sbin
d????????? ? ? ? ?            ? srv
d????????? ? ? ? ?            ? sys
d????????? ? ? ? ?            ? tmp
d????????? ? ? ? ?            ? usr
d????????? ? ? ? ?            ? var
: Operation not permitted
/bin/ls: cannot access 'root': Operation not permitted
/bin/ls: cannot access 'bin': Operation not permitted
/bin/ls: cannot access 'tmp': Operation not permitted
/bin/ls: cannot access 'sbin': Operation not permitted
/bin/ls: cannot access 'lib': Operation not permitted
/bin/ls: cannot access '.dockerenv': Operation not permitted

Why may I not access the root dir in (3)?
Why am I able to access the root dir in (4)?
Why are the usernames gone in (4)?
If I docker run --privileged then ls works fine. Is it suggesting that even a mere listing of files in root dir requires some --cap-add?

2

Belated reply, but I can’t see anything wrong and was not able to reproduce it on my Ubuntu Eoan VM:

$ sudo -i docker run -d --memory 7168M --memory-swap 7168M --name arch -u 0:0 archlinux:20200407 /bin/sleep 1d
WARNING: Your kernel does not support swap limit capabilities or the cgroup is not mounted. Memory limited without swap.
daeb279adac7f63afce746a1548f2ad8458146ecba00f617d9a9d69f4e78c88f

$ sudo -i docker exec -w / -i arch /bin/ls -Al /
total 44
lrwxrwxrwx   1 root root    7 Nov 13  2019 bin -> usr/bin
drwxr-xr-x   2 root root 4096 Nov 13  2019 boot
drwxr-xr-x   5 root root  340 Oct  8 23:22 dev
-rwxr-xr-x   1 root root    0 Oct  8 23:22 .dockerenv
drwxr-xr-x   1 root root 4096 Oct  8 23:22 etc
drwxr-xr-x   2 root root 4096 Nov 13  2019 home
lrwxrwxrwx   1 root root    7 Nov 13  2019 lib -> usr/lib
lrwxrwxrwx   1 root root    7 Nov 13  2019 lib64 -> usr/lib
drwxr-xr-x   2 root root 4096 Nov 13  2019 mnt
drwxr-xr-x   2 root root 4096 Nov 13  2019 opt
dr-xr-xr-x 237 root root    0 Oct  8 23:22 proc
drwxr-x---   2 root root 4096 Nov 13  2019 root
drwxr-xr-x   2 root root 4096 Nov 13  2019 run
lrwxrwxrwx   1 root root    7 Nov 13  2019 sbin -> usr/bin
drwxr-xr-x   4 root root 4096 Apr  7  2020 srv
dr-xr-xr-x  13 root root    0 Oct  8 23:22 sys
drwxrwxrwt   1 root root 4096 Apr  8  2020 tmp
drwxr-xr-x   1 root root 4096 Apr  7  2020 usr
drwxr-xr-x   1 root root 4096 Apr  7  2020 var

Is it suggesting that even a mere listing of files in root dir requires some --cap-add

Most certainly not. Within a container you should be able to list the files at the container’s root dir.