From 80615f45db88581ed43994645ebeef4f126e0028 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Tue, 28 Nov 2023 14:35:22 +0700
Subject: [PATCH] [docker-sonic-mgmt-framework] limit privileged flag for
 mgmt-framework container (#17217)

Why I did it
HLD implementation: Container Hardening (sonic-net/SONiC#1364)

Work item tracking
Microsoft ADO (number only): 14807420
How I did it
Reduce linux capabilities in privileged flag

How to verify it
Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps.
---
 rules/docker-sonic-mgmt-framework.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/docker-sonic-mgmt-framework.mk b/rules/docker-sonic-mgmt-framework.mk
index 7985f8e9be..1f26de3961 100644
--- a/rules/docker-sonic-mgmt-framework.mk
+++ b/rules/docker-sonic-mgmt-framework.mk
@@ -29,7 +29,7 @@ SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_MGMT_FRAMEWORK_DBG)
 endif
 
 $(DOCKER_MGMT_FRAMEWORK)_CONTAINER_NAME = mgmt-framework
-$(DOCKER_MGMT_FRAMEWORK)_RUN_OPT += --privileged -t
+$(DOCKER_MGMT_FRAMEWORK)_RUN_OPT += -t
 $(DOCKER_MGMT_FRAMEWORK)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_MGMT_FRAMEWORK)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro 
 $(DOCKER_MGMT_FRAMEWORK)_RUN_OPT += -v /etc:/host_etc:ro