Browse code
drop CAP_SYSLOG capability
Kernel capabilities for privileged syslog operations are currently splitted into
CAP_SYS_ADMIN and CAP_SYSLOG since the following commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce6ada35bdf710d16582cc4869c26722547e6f11
This patch drops CAP_SYSLOG to prevent containers from messing with
host's syslog (e.g. `dmesg -c` clears up host's printk ring buffer).
Closes #5491
Docker-DCO-1.1-Signed-off-by: Eiichi Tsukata <devel@etsukata.com> (github: Etsukata)
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
Eiichi Tsukata authored on 2014/04/30 15:20:22Showing 4 changed files
- daemon/execdriver/lxc/init.go
- daemon/execdriver/native/template/default_template.go
- pkg/libcontainer/container.json
- pkg/libcontainer/types.go
| ... | ... |
@@ -25,6 +25,7 @@ func New() *libcontainer.Container {
|
| 25 | 25 |
libcontainer.GetCapability("MAC_ADMIN"),
|
| 26 | 26 |
libcontainer.GetCapability("NET_ADMIN"),
|
| 27 | 27 |
libcontainer.GetCapability("MKNOD"),
|
| 28 |
+ libcontainer.GetCapability("SYSLOG"),
|
|
| 28 | 29 |
}, |
| 29 | 30 |
Namespaces: libcontainer.Namespaces{
|
| 30 | 31 |
libcontainer.GetNamespace("NEWNS"),
|
| ... | ... |
@@ -53,6 +53,7 @@ var ( |
| 53 | 53 |
{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: false},
|
| 54 | 54 |
{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: false},
|
| 55 | 55 |
{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: false},
|
| 56 |
+ {Key: "SYSLOG", Value: capability.CAP_SYSLOG, Enabled: false},
|
|
| 56 | 57 |
} |
| 57 | 58 |
) |
| 58 | 59 |
|