config: start with a full capability set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index bde6f1db21e968daaa64c8c1d6f5d97de17d3da2..63d018964c478eb17b4a326b17ec669927e37a94 100644 (file)
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -2,5 +2,9 @@
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 
+# Start with a full set of capabilities in user namespaces.
+lxc.cap.drop =
+lxc.cap.keep =
+
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.devttydir =