From 92f0745ed898949bae0fdf82df4dca83f7a37f5c Mon Sep 17 00:00:00 2001 From: Mai Bui Date: Mon, 22 Jul 2024 12:28:40 -0400 Subject: [PATCH] [docker-database] limit privileged flag for database container (#19248) #### Why I did it HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364) ##### Work item tracking - Microsoft ADO **(number only)**: 14807420 #### How I did it Reduce linux capabilities in privileged flag #### How to verify it Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps. ``` admin@vlab-08:~$ docker inspect database0 | jq '.[0] | {CapAdd: .HostConfig.CapAdd, Privileged: .HostConfig.Privileged, AppArmor: .AppArmorProfile, Security Opt: .HostConfig.SecurityOpt, Devices: .HostConfig.Devices, MaskedPath: .HostConfig.MaskedPaths, ReadonlyPaths: .HostConfig.ReadonlyPaths}' { "CapAdd": null, "Privileged": false, "AppArmor": "unconfined", "SecurityOpt": [ "apparmor=unconfined" ], "Devices": [], "MaskedPath": [], "ReadonlyPaths": [] } ``` --- rules/docker-database.mk | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/docker-database.mk b/rules/docker-database.mk index c38f574afbfb..3b16960f632a 100644 --- a/rules/docker-database.mk +++ b/rules/docker-database.mk @@ -28,7 +28,7 @@ SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_DATABASE_DBG) SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_DATABASE_DBG) $(DOCKER_DATABASE)_CONTAINER_NAME = database -$(DOCKER_DATABASE)_RUN_OPT += --privileged -t +$(DOCKER_DATABASE)_RUN_OPT += -t --security-opt apparmor=unconfined --security-opt="systempaths=unconfined" $(DOCKER_DATABASE)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro $(DOCKER_DATABASE)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro