Merge pull request #6171 from crosbymichael/add-chroot

Add SYS_CHROOT cap to unprivileged containers
2022-11-09 12:21:53 -05:00 · 2014-06-02 18:33:34 -07:00 · 2014-06-02 18:33:34 -07:00 · 5bf4068d60
commit 5bf4068d60
parent 3fb0870878 41f7cef2bd
2 changed files with 13 additions and 0 deletions
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@ -20,6 +20,7 @@ func New() *libcontainer.Container {
 			"SETFCAP",
 			"SETPCAP",
 			"NET_BIND_SERVICE",
+			"SYS_CHROOT",
 		},
 		Namespaces: map[string]bool{
 			"NEWNS":  true,
--- a/integration-cli/docker_cli_run_test.go
+++ b/integration-cli/docker_cli_run_test.go
@ -873,3 +873,15 @@ func TestThatCharacterDevicesActLikeCharacterDevices(t *testing.T) {

 	logDone("run - test that character devices work.")
 }
+
+func TestRunUnprivilegedWithChroot(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "run", "busybox", "chroot", "/", "true")
+
+	if _, err := runCommand(cmd); err != nil {
+		t.Fatal(err)
+	}
+
+	deleteAllContainers()
+
+	logDone("run - unprivileged with chroot")
+}