[lxc-devel] [PATCH] Ubuntu template: Allow mknod (fixing udev upgrades) and drop mac_override and mac_admin from lxc.cap.drop as apparmor has/will have support for namespaces

Stéphane Graber stgraber at ubuntu.com
Wed Nov 2 19:17:48 UTC 2011


---
 templates/lxc-ubuntu.in |    5 ++++-
 1 files changed, 4 insertions(+), 1 deletions(-)

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 4f44b03..2be8680 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,9 +179,12 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_override mac_admin
+lxc.cap.drop = sys_module
 
 lxc.cgroup.devices.deny = a
+# Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
 # /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm
-- 
1.7.7





More information about the lxc-devel mailing list