From 0abad3ae2290a2b051b8fdaceab17a1ee41ecfb9 Mon Sep 17 00:00:00 2001
From: Victor Marmol <vmarmol@google.com>
Date: Mon, 19 May 2014 16:45:52 +0000
Subject: [PATCH] Don't drop CAP_FOWNER in the container. Also sorts the list
 of allowed capabilities.

Docker-DCO-1.1-Signed-off-by: Victor Marmol <vmarmol@google.com> (github: vmarmol)
---
 daemon/execdriver/native/template/default_template.go | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/daemon/execdriver/native/template/default_template.go b/daemon/execdriver/native/template/default_template.go
index 66cfa88a3a..5c41603428 100644
--- a/daemon/execdriver/native/template/default_template.go
+++ b/daemon/execdriver/native/template/default_template.go
@@ -10,12 +10,13 @@ import (
 func New() *libcontainer.Container {
 	container := &libcontainer.Container{
 		Capabilities: []string{
-			"MKNOD",
-			"SETUID",
-			"SETGID",
 			"CHOWN",
-			"NET_RAW",
 			"DAC_OVERRIDE",
+			"FOWNER",
+			"MKNOD",
+			"NET_RAW",
+			"SETGID",
+			"SETUID",
 		},
 		Namespaces: map[string]bool{
 			"NEWNS":  true,