From 41f7cef2bd186d321fc4489691ba53ab41eb48e5 Mon Sep 17 00:00:00 2001
From: Michael Crosby <michael@crosbymichael.com>
Date: Mon, 2 Jun 2014 18:23:47 -0700
Subject: [PATCH] Add SYS_CHROOT cap to unprivileged containers

Fixes #6103
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
---
 .../execdriver/native/template/default_template.go   |  1 +
 integration-cli/docker_cli_run_test.go               | 12 ++++++++++++
 2 files changed, 13 insertions(+)

diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go
index 21c888a034..e7d3143df9 100644
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@@ -20,6 +20,7 @@ func New() *libcontainer.Container {
 			"SETFCAP",
 			"SETPCAP",
 			"NET_BIND_SERVICE",
+			"SYS_CHROOT",
 		},
 		Namespaces: map[string]bool{
 			"NEWNS":  true,
diff --git a/integration-cli/docker_cli_run_test.go b/integration-cli/docker_cli_run_test.go
index 209d730f93..545ad371ee 100644
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@@ -873,3 +873,15 @@ func TestThatCharacterDevicesActLikeCharacterDevices(t *testing.T) {
 
 	logDone("run - test that character devices work.")
 }
+
+func TestRunUnprivilegedWithChroot(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "run", "busybox", "chroot", "/", "true")
+
+	if _, err := runCommand(cmd); err != nil {
+		t.Fatal(err)
+	}
+
+	deleteAllContainers()
+
+	logDone("run - unprivileged with chroot")
+}