[Lxc-users] lxc.cap.drop
Derek Simkowiak
derek at simkowiak.net
Wed Oct 26 21:20:19 UTC 2011
Here is mine:
# Capabilities
#
# You don't need to drop capabilities. But for security, you probably
# want to drop as many capabilities as you can. (See "man
capabilities".)
#
# - WARNING: Any read-only mount in $HOST.fstab can be remounted as
# read-write unless sys_admin is dropped. You have been warned.
#
# - The hostname command needs sys_admin. So if you drop sys_admin here,
# you'll see this harmless warning at lxc-start:
# init: hostname main process (4) terminated with status 1
#
# - iptables / ufw (and ping?) needs net_raw, so it is not dropped.
# - OpenSSH needs sys_resource, so it is not dropped.
#
lxc.cap.drop=sys_admin audit_control audit_write fsetid ipc_lock
ipc_owner lease linux_immutable mac_admin mac_override mknod setfcap
setpcap sys_boot sys_module sys_nice sys_pacct sys_ptrace sys_rawio
sys_tty_config sys_time
Thanks,
Derek Simkowiak
http://derek.simkowiak.net
On 10/26/2011 10:31 AM, Ulli Horlacher wrote:
> Is there a "best practises" for lxc.cap.drop configuration?
>
> I have so far as default:
>
> # no MAC change
> lxc.cap.drop = mac_override
>
> # no kernel module (un)loading
> lxc.cap.drop = sys_module
>
> # no reboot
> lxc.cap.drop = sys_boot
>
> # no (un/re)mounting
> lxc.cap.drop = sys_admin
>
> # no time setting
> lxc.cap.drop = sys_time
>
>
> All the corresponding tasks should be done via host and not via container.
>
More information about the lxc-users
mailing list