[docker-snmp] limit privileged flag for snmp container (#16971)

maipbui · web-flow · commit 682057945f3c · 2023-11-16T22:15:37.000+08:00
Why I did it HLD implementation: Container Hardening (sonic-net/SONiC#1364) Work item tracking Microsoft ADO (number only): 14807420 How I did it Reduce linux capabilities in privileged flag How to verify it Run snmp sonic-mgmt tests Check container's settings: Privileged is false and container only has default Linux caps, does not have extended caps. admin@vlab-01:~$ docker inspect snmp | grep Privi "Privileged": false, admin@vlab-01:~$ docker exec -it snmp bash root@vlab-01:/# capsh --print Current: cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap=ep Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_se
diff --git a/rules/docker-snmp.mk b/rules/docker-snmp.mk
@@ -28,7 +28,7 @@ SONIC_DOCKER_DBG_IMAGES += $(DOCKER_SNMP_DBG)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_SNMP_DBG)
 
 $(DOCKER_SNMP)_CONTAINER_NAME = snmp
-$(DOCKER_SNMP)_RUN_OPT += --privileged -t
+$(DOCKER_SNMP)_RUN_OPT += -t
 $(DOCKER_SNMP)_RUN_OPT += -v /etc/sonic:/etc/sonic:ro
 $(DOCKER_SNMP)_RUN_OPT += -v /etc/timezone:/etc/timezone:ro 
 $(DOCKER_SNMP)_FILES += $(SUPERVISOR_PROC_EXIT_LISTENER_SCRIPT)
