Merge pull request #6171 from crosbymichael/add-chroot

Add SYS_CHROOT cap to unprivileged containers Upstream-commit: 5bf4068d60222b1fdfc997e498aa2096b8df3cf9 Component: engine
2014-06-02 18:33:34 -07:00
parent 6017cb1878 382f8a23ad
commit f363828126
2 changed files with 13 additions and 0 deletions
--- a/components/engine/daemon/execdriver/native/template/default_template.go
+++ b/components/engine/daemon/execdriver/native/template/default_template.go
@ -20,6 +20,7 @@ func New() *libcontainer.Container {
 			"SETFCAP",
 			"SETPCAP",
 			"NET_BIND_SERVICE",
+			"SYS_CHROOT",
 		},
 		Namespaces: map[string]bool{
 			"NEWNS":  true,
--- a/components/engine/integration-cli/docker_cli_run_test.go
+++ b/components/engine/integration-cli/docker_cli_run_test.go
@ -873,3 +873,15 @@ func TestThatCharacterDevicesActLikeCharacterDevices(t *testing.T) {

 	logDone("run - test that character devices work.")
 }
+
+func TestRunUnprivilegedWithChroot(t *testing.T) {
+	cmd := exec.Command(dockerBinary, "run", "busybox", "chroot", "/", "true")
+
+	if _, err := runCommand(cmd); err != nil {
+		t.Fatal(err)
+	}
+
+	deleteAllContainers()
+
+	logDone("run - unprivileged with chroot")
+}