[lxc-devel] [PATCH 2/2] Enable seccomp by default for unprivileged users.
Serge Hallyn
serge.hallyn at ubuntu.com
Fri Dec 19 18:23:52 UTC 2014
In contrast to what the comment above the line disabling it said,
it seems to work just fine. It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.
Signed-off-by: Serge Hallyn <serge.hallyn at ubuntu.com>
---
config/templates/userns.conf.in | 4 ----
1 file changed, 4 deletions(-)
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index 2d9d7d5..5dc19c7 100644
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -13,7 +13,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =
--
2.1.0
More information about the lxc-devel
mailing list