Skip to content

L
lxc
Commit cdcee3c7 by Serge E. Hallyn Committed by Daniel Lezcano
Options

ubuntu template: disallow cap_sys_module (by popular demand)

This isn't particularly reassuring, and will be moot with user namespaces, but as people are asking for it, turn off sys_module. While we're at it, turn off mac_admin and mac_override. Signed-off-by: 's avatarSerge Hallyn <serge.hallyn@canonical.com> Signed-off-by: 's avatarDaniel Lezcano <dlezcano@fr.ibm.com>
parent 0f3fe9e0
Showing with 1 addition and 0 deletions
templates/lxc-ubuntu.in
...@@ -179,6 +179,7 @@ lxc.pts = 1024 ...@@ -179,6 +179,7 @@ lxc.pts = 1024
lxc.rootfs = $rootfs lxc.rootfs = $rootfs
lxc.mount = $path/fstab lxc.mount = $path/fstab
lxc.arch = $arch lxc.arch = $arch
lxc.cap.drop = sys_module mac_override mac_admin
lxc.cgroup.devices.deny = a lxc.cgroup.devices.deny = a
# /dev/null and zero # /dev/null and zero
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment