From ce2347eda606b447a42879fe0616de5b9bd0f9e2 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Fri, 4 Aug 2017 12:48:27 +0100
Subject: [PATCH] Enable sysctl kernel.dmesg_restrict

This requires that users have `CAP_SYSLOG` in order to access `dmesg`.
This means that containers by default have no access to `dmesg` (which
can leak information about the host or other containers) unless they
have this capability added.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 pkg/sysctl/etc/sysctl.d/00-linuxkit.conf | 1 +
 1 file changed, 1 insertion(+)

diff --git a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
index bb59b989c..db498738e 100644
--- a/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
+++ b/pkg/sysctl/etc/sysctl.d/00-linuxkit.conf
@@ -22,6 +22,7 @@ net.ipv4.conf.default.accept_redirects = 0
 net.ipv4.conf.default.accept_source_route = 0
 net.ipv6.conf.all.accept_redirects = 0
 net.ipv6.conf.default.accept_redirects = 0
+kernel.dmesg_restrict = 1
 kernel.perf_event_paranoid = 3
 fs.protected_hardlinks = 1
 fs.protected_symlinks = 1