]> git.ipfire.org Git - thirdparty/lxc.git/commitdiff
projects / thirdparty / lxc.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0f3fe9e)
ubuntu template: disallow cap_sys_module (by popular demand)
authorSerge E. Hallyn <serge.hallyn@canonical.com>
Mon, 24 Oct 2011 12:38:30 +0000 (14:38 +0200)
committerDaniel Lezcano <daniel.lezcano@free.fr>
Mon, 24 Oct 2011 12:38:30 +0000 (14:38 +0200)
This isn't particularly reassuring, and will be moot with user
namespaces, but as people are asking for it, turn off sys_module.
While we're at it, turn off mac_admin and mac_override.

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
templates/lxc-ubuntu.in patch | blob | blame | history

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 9a41a497606e2638cd97e6478acfed69d1db7009..05d71b99dbfb01e589617deb2951aa939ac9e452 100644 (file)
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,6 +179,7 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
+lxc.cap.drop = sys_module mac_override mac_admin
 
 lxc.cgroup.devices.deny = a
 # /dev/null and zero
Mirror of https://github.com/lxc/lxc.git