[lxc-devel] [lxc/master] Update gentoo.moresecure.conf.

iDarkTemplar on Github lxc-bot at linuxcontainers.org
Sat Dec 2 07:36:55 UTC 2017


A non-text attachment was scrubbed...
Name: not available
Type: text/x-mailbox
Size: 419 bytes
Desc: not available
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20171202/273ff916/attachment.bin>
-------------- next part --------------
From 23002e923e87bc6e12ec8f424ae77c7b7a236d2f Mon Sep 17 00:00:00 2001
From: "i.Dark_Templar" <darktemplar at dark-templar-archives.net>
Date: Sat, 2 Dec 2017 10:33:51 +0300
Subject: [PATCH] Update gentoo.moresecure.conf.

Closes https://github.com/lxc/lxc/issues/1928

Signed-off-by: i.Dark_Templar <darktemplar at dark-templar-archives.net>
---
 config/templates/gentoo.moresecure.conf.in | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/config/templates/gentoo.moresecure.conf.in b/config/templates/gentoo.moresecure.conf.in
index c08b91c1a..aa7c625cc 100644
--- a/config/templates/gentoo.moresecure.conf.in
+++ b/config/templates/gentoo.moresecure.conf.in
@@ -30,7 +30,8 @@ lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
 # lxc.cap.drop = audit_write
 # lxc.cap.drop = setpcap          # breaks journald
 # lxc.cap.drop = sys_resource     # breaks systemd
-lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_boot sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
+# lxc.cap.drop = sys_boot         # breaks sysvinit
+lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
 
 # WARNING: the security vulnerability reported for 'cap_net_admin' at
 # http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html


More information about the lxc-devel mailing list