[Lxc-users] [PATCH 1/1] ubuntu template: disallow cap_sys_module (by popular demand)
Serge E. Hallyn
serge.hallyn at canonical.com
Thu Sep 15 13:21:30 UTC 2011
This isn't particularly reassuring, and will be moot with user
namespaces, but as people are asking for it, turn off sys_module.
While we're at it, turn off mac_admin and mac_override.
Signed-off-by: Serge Hallyn <serge.hallyn at canonical.com>
---
templates/lxc-ubuntu.in | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 9a41a49..05d71b9 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,6 +179,7 @@ lxc.pts = 1024
lxc.rootfs = $rootfs
lxc.mount = $path/fstab
lxc.arch = $arch
+lxc.cap.drop = sys_module mac_override mac_admin
lxc.cgroup.devices.deny = a
# /dev/null and zero
--
1.7.5.4
More information about the lxc-users
mailing list