vbatts/pkg
1
0
Fork 0
Code Pull requests Releases Activity

drop CAP_SYSLOG capability

Browse source 
Kernel capabilities for privileged syslog operations are currently splitted into
CAP_SYS_ADMIN and CAP_SYSLOG since the following commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce6ada35bdf710d16582cc4869c26722547e6f11

This patch drops CAP_SYSLOG to prevent containers from messing with
host's syslog (e.g. `dmesg -c` clears up host's printk ring buffer).

Closes #5491

Docker-DCO-1.1-Signed-off-by: Eiichi Tsukata <devel@etsukata.com> (github: Etsukata)
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
This commit is contained in:
Eiichi Tsukata 2014-04-30 15:20:22 +09:00 committed by Michael Crosby
parent 4ed7d8b533
commit 68849feeed
2 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
libcontainer/container.json
View file

@ -91,6 +91,11 @@
"value" : 27, "value" : 27,
"key" : "MKNOD", "key" : "MKNOD",
"enabled" : true "enabled" : true
},
{
"value" : 34,
"key" : "SYSLOG",
"enabled" : false
} }
], ],
"networks" : [ "networks" : [

1
libcontainer/types.go
View file

@ -53,6 +53,7 @@ var (
{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: false}, {Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: false},
{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: false}, {Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: false},
{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: false}, {Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: false},
{Key: "SYSLOG", Value: capability.CAP_SYSLOG, Enabled: false},
} }
) )