From 030c57200da5a827319f5eacdfa6deac02c5b7f5 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Tue, 15 Aug 2023 14:27:12 -0400
Subject: [PATCH] [docker-lldp] limit privileged flag for lldp container
 (#15830)

#### Why I did it
HLD implementation: Container Hardening (https://github.com/sonic-net/SONiC/pull/1364)
##### Work item tracking
- Microsoft ADO **(number only)**: 14807420

#### How I did it
Reduce linux capabilities in privileged flag, retain NET_ADMIN capability
---
 rules/docker-lldp.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/docker-lldp.mk b/rules/docker-lldp.mk
index 95172d6cf3..ddd079c4d3 100644
--- a/rules/docker-lldp.mk
+++ b/rules/docker-lldp.mk
@@ -28,7 +28,7 @@ SONIC_DOCKER_DBG_IMAGES += $(DOCKER_LLDP_DBG)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_LLDP_DBG)
 
 $(DOCKER_LLDP)_CONTAINER_NAME = lldp
-$(DOCKER_LLDP)_RUN_OPT += --privileged -t
+$(DOCKER_LLDP)_RUN_OPT += -t --cap-add=NET_ADMIN
 $(DOCKER_LLDP)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_LLDP)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro