From 68849feeeda39a2124cb5d30bc5bd2e3db956a2f Mon Sep 17 00:00:00 2001
From: Eiichi Tsukata <devel@etsukata.com>
Date: Wed, 30 Apr 2014 15:20:22 +0900
Subject: [PATCH] drop CAP_SYSLOG capability

Kernel capabilities for privileged syslog operations are currently splitted into
CAP_SYS_ADMIN and CAP_SYSLOG since the following commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce6ada35bdf710d16582cc4869c26722547e6f11

This patch drops CAP_SYSLOG to prevent containers from messing with
host's syslog (e.g. `dmesg -c` clears up host's printk ring buffer).

Closes #5491

Docker-DCO-1.1-Signed-off-by: Eiichi Tsukata <devel@etsukata.com> (github: Etsukata)
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
---
 libcontainer/container.json | 5 +++++
 libcontainer/types.go       | 1 +
 2 files changed, 6 insertions(+)

diff --git a/libcontainer/container.json b/libcontainer/container.json
index f15a49a..20c1121 100644
--- a/libcontainer/container.json
+++ b/libcontainer/container.json
@@ -91,6 +91,11 @@
          "value" : 27,
          "key" : "MKNOD",
          "enabled" : true
+      },
+      {
+         "value" : 34,
+         "key" : "SYSLOG",
+         "enabled" : false
       }
    ],
    "networks" : [
diff --git a/libcontainer/types.go b/libcontainer/types.go
index ade3c32..f5fe6cf 100644
--- a/libcontainer/types.go
+++ b/libcontainer/types.go
@@ -53,6 +53,7 @@ var (
 		{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: false},
 		{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: false},
 		{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: false},
+		{Key: "SYSLOG", Value: capability.CAP_SYSLOG, Enabled: false},
 	}
 )