[Lxc-users] Jumping out of a read-only bind mount container
Trent W. Buck
trentbuck at gmail.com
Tue Feb 8 00:16:14 UTC 2011
Andre Nathan <andre at digirati.com.br> writes:
> On Mon, 2011-02-07 at 11:40 +1100, Trent W. Buck wrote:
>> lxc.cap.drop=sys_admin should prevent all mount(2) calls within the
>> container. It seems to work for me. In fact... I thought LXC *always*
>> removed that capability, even if you never mentioned it?
>
> Nice! Is there a list of capabilities LXC drops documented somewhere?
I don't know. The list of capabilities *in general* is the
capabilities(7) manpage.
More information about the lxc-users
mailing list