[lxc-devel] [PATCH] Ubuntu template: Allow mknod (fixing udev upgrades) and drop mac_override and mac_admin from lxc.cap.drop as apparmor has/will have support for namespaces
Stéphane Graber
stgraber at ubuntu.com
Wed Nov 2 19:17:48 UTC 2011
---
templates/lxc-ubuntu.in | 5 ++++-
1 files changed, 4 insertions(+), 1 deletions(-)
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 4f44b03..2be8680 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,9 +179,12 @@ lxc.pts = 1024
lxc.rootfs = $rootfs
lxc.mount = $path/fstab
lxc.arch = $arch
-lxc.cap.drop = sys_module mac_override mac_admin
+lxc.cap.drop = sys_module
lxc.cgroup.devices.deny = a
+# Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
--
1.7.7
More information about the lxc-devel
mailing list