From 764faff104bbe4835f4bc584e7d6b8f3349ef071 Mon Sep 17 00:00:00 2001
From: Mai Bui <maibui@microsoft.com>
Date: Mon, 30 Dec 2024 13:25:06 -0500
Subject: [PATCH] [docker-orchagent] limit privileged flag for swss container
 (#17598)

[docker-orchagent] limit privileged flag for swss container

Signed-off-by: Mai Bui <maibui@microsoft.com>
---
 rules/docker-orchagent.mk | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rules/docker-orchagent.mk b/rules/docker-orchagent.mk
index a1a6c34e88a7..2095306689f1 100644
--- a/rules/docker-orchagent.mk
+++ b/rules/docker-orchagent.mk
@@ -37,7 +37,7 @@ SONIC_BOOKWORM_DBG_DOCKERS += $(DOCKER_ORCHAGENT_DBG)
 SONIC_INSTALL_DOCKER_DBG_IMAGES += $(DOCKER_ORCHAGENT_DBG)
 
 $(DOCKER_ORCHAGENT)_CONTAINER_NAME = swss
-$(DOCKER_ORCHAGENT)_RUN_OPT += --privileged -t
+$(DOCKER_ORCHAGENT)_RUN_OPT += -t --cap-add=NET_ADMIN --security-opt apparmor=unconfined --security-opt="systempaths=unconfined"
 $(DOCKER_ORCHAGENT)_RUN_OPT += -v /etc/network/interfaces:/etc/network/interfaces:ro
 $(DOCKER_ORCHAGENT)_RUN_OPT += -v /etc/localtime:/etc/localtime:ro 
 $(DOCKER_ORCHAGENT)_RUN_OPT += -v /etc/network/interfaces.d/:/etc/network/interfaces.d/:ro