[Lxc-users] lxc.cap.drop

Derek Simkowiak derek at simkowiak.net
Wed Oct 26 21:20:19 UTC 2011


     Here is mine:

# Capabilities
#
#     You don't need to drop capabilities.  But for security, you probably
#     want to drop as many capabilities as you can. (See "man 
capabilities".)
#
# - WARNING: Any read-only mount in $HOST.fstab can be remounted as
#   read-write unless sys_admin is dropped.  You have been warned.
#
# - The hostname command needs sys_admin.  So if you drop sys_admin here,
#   you'll see this harmless warning at lxc-start:
#        init: hostname main process (4) terminated with status 1
#
# - iptables / ufw (and ping?) needs net_raw, so it is not dropped.
# - OpenSSH needs sys_resource, so it is not dropped.
#
lxc.cap.drop=sys_admin audit_control audit_write fsetid ipc_lock 
ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap 
setpcap sys_boot sys_module sys_nice sys_pacct sys_ptrace sys_rawio 
sys_tty_config sys_time


Thanks,
Derek Simkowiak
http://derek.simkowiak.net

On 10/26/2011 10:31 AM, Ulli Horlacher wrote:
> Is there a "best practises" for lxc.cap.drop configuration?
>
> I have so far as default:
>
> # no MAC change
> lxc.cap.drop = mac_override
>
> # no kernel module (un)loading
> lxc.cap.drop = sys_module
>
> # no reboot
> lxc.cap.drop = sys_boot
>
> # no (un/re)mounting
> lxc.cap.drop = sys_admin
>
> # no time setting
> lxc.cap.drop = sys_time
>
>
> All the corresponding tasks should be done via host and not via container.
>





More information about the lxc-users mailing list