1. docker
  2. Commit 41f7cef2bd186d321fc4489691ba53ab41eb48e5
Browse code

Add SYS_CHROOT cap to unprivileged containers

Fixes #6103
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)

Michael Crosby authored on 2014/06/03 10:23:47
Showing 2 changed files
daemon/execdriver/native/template/default_template.go
History View file @ 41f7cef
... ... 
@@ -20,6 +20,7 @@ func New() *libcontainer.Container {
20 20 
 			"SETFCAP",
21 21 
 			"SETPCAP",
22 22 
 			"NET_BIND_SERVICE",
23 
+			"SYS_CHROOT",
23 24 
 		},
24 25 
 		Namespaces: map[string]bool{
25 26 
 			"NEWNS":  true,
integration-cli/docker_cli_run_test.go
History View file @ 41f7cef
... ... 
@@ -873,3 +873,15 @@ func TestThatCharacterDevicesActLikeCharacterDevices(t *testing.T) {
873 873
874 874 
 	logDone("run - test that character devices work.")
875 875 
 }
876 
+
877 
+func TestRunUnprivilegedWithChroot(t *testing.T) {
878 
+	cmd := exec.Command(dockerBinary, "run", "busybox", "chroot", "/", "true")
879 
+
880 
+	if _, err := runCommand(cmd); err != nil {
881 
+		t.Fatal(err)
882 
+	}
883 
+
884 
+	deleteAllContainers()
885 
+
886 
+	logDone("run - unprivileged with chroot")
887 
+}