[docker-restapi] limit privileged flag for restapi container (#17138)

Why I did it HLD implementation: Container Hardening (sonic-net/SONiC#1364) Work item tracking Microsoft ADO (number only): 14807420 How I did it Reduce linux capabilities in privileged flag How to verify it Run restapi sonic-mgmt tests on sn4600c Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
2023-11-21 01:50:31 -05:00 · 2023-11-21 01:50:31 -05:00 · 6ea03f9f78
commit 6ea03f9f78
parent 6dfaf5e293
1 changed files with 1 additions and 1 deletions
--- a/rules/docker-restapi.mk
+++ b/rules/docker-restapi.mk
@ -19,7 +19,7 @@ SONIC_INSTALL_DOCKER_IMAGES += $(DOCKER_RESTAPI)
 endif

 $(DOCKER_RESTAPI)_CONTAINER_NAME = restapi
-$(DOCKER_RESTAPI)_RUN_OPT += --cap-add NET_ADMIN --privileged -t
+$(DOCKER_RESTAPI)_RUN_OPT += -t
 $(DOCKER_RESTAPI)_RUN_OPT += -v /var/run/redis/redis.sock:/var/run/redis/redis.sock
 $(DOCKER_RESTAPI)_RUN_OPT += -v /etc/sonic/credentials:/etc/sonic/credentials:ro
 $(DOCKER_RESTAPI)_RUN_OPT += -p=8081:8081/tcp