From cac0cea03f85191b3d92cdaeae827fdd93fb1b29 Mon Sep 17 00:00:00 2001
From: Eiichi Tsukata <devel@etsukata.com>
Date: Wed, 30 Apr 2014 15:20:22 +0900
Subject: [PATCH] drop CAP_SYSLOG capability

Kernel capabilities for privileged syslog operations are currently splitted into
CAP_SYS_ADMIN and CAP_SYSLOG since the following commit:
http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=ce6ada35bdf710d16582cc4869c26722547e6f11

This patch drops CAP_SYSLOG to prevent containers from messing with
host's syslog (e.g. `dmesg -c` clears up host's printk ring buffer).

Closes #5491

Docker-DCO-1.1-Signed-off-by: Eiichi Tsukata <devel@etsukata.com> (github: Etsukata)
Docker-DCO-1.1-Signed-off-by: Michael Crosby <michael@crosbymichael.com> (github: crosbymichael)
---
 daemon/execdriver/lxc/init.go                         | 1 +
 daemon/execdriver/native/template/default_template.go | 1 +
 pkg/libcontainer/container.json                       | 5 +++++
 pkg/libcontainer/types.go                             | 1 +
 4 files changed, 8 insertions(+)

diff --git a/daemon/execdriver/lxc/init.go b/daemon/execdriver/lxc/init.go
index 324bd5eff7..52d75fc9f8 100644
--- a/daemon/execdriver/lxc/init.go
+++ b/daemon/execdriver/lxc/init.go
@@ -149,6 +149,7 @@ func setupCapabilities(args *execdriver.InitArgs) error {
 		capability.CAP_MAC_OVERRIDE,
 		capability.CAP_MAC_ADMIN,
 		capability.CAP_NET_ADMIN,
+		capability.CAP_SYSLOG,
 	}
 
 	c, err := capability.NewPid(os.Getpid())
diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go
index c354637fcb..5dbe21ecb0 100644
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@@ -25,6 +25,7 @@ func New() *libcontainer.Container {
 			libcontainer.GetCapability("MAC_ADMIN"),
 			libcontainer.GetCapability("NET_ADMIN"),
 			libcontainer.GetCapability("MKNOD"),
+			libcontainer.GetCapability("SYSLOG"),
 		},
 		Namespaces: libcontainer.Namespaces{
 			libcontainer.GetNamespace("NEWNS"),
diff --git a/pkg/libcontainer/container.json b/pkg/libcontainer/container.json
index f15a49ab05..20c1121911 100644
--- a/pkg/libcontainer/container.json
+++ b/pkg/libcontainer/container.json
@@ -91,6 +91,11 @@
          "value" : 27,
          "key" : "MKNOD",
          "enabled" : true
+      },
+      {
+         "value" : 34,
+         "key" : "SYSLOG",
+         "enabled" : false
       }
    ],
    "networks" : [
diff --git a/pkg/libcontainer/types.go b/pkg/libcontainer/types.go
index ade3c32f1d..f5fe6cffa9 100644
--- a/pkg/libcontainer/types.go
+++ b/pkg/libcontainer/types.go
@@ -53,6 +53,7 @@ var (
 		{Key: "MAC_OVERRIDE", Value: capability.CAP_MAC_OVERRIDE, Enabled: false},
 		{Key: "MAC_ADMIN", Value: capability.CAP_MAC_ADMIN, Enabled: false},
 		{Key: "NET_ADMIN", Value: capability.CAP_NET_ADMIN, Enabled: false},
+		{Key: "SYSLOG", Value: capability.CAP_SYSLOG, Enabled: false},
 	}
 )