From 5c0d54cd8cb3986369ba2357b0c41b93de595700 Mon Sep 17 00:00:00 2001
From: Christian Brauner <christian.brauner@ubuntu.com>
Date: Thu, 1 Mar 2018 17:09:44 +0100
Subject: [PATCH] config: start with a full capability set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
---
 config/templates/userns.conf.in | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index be4fbbc6b..967576b4c 100644
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -2,5 +2,9 @@
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 
+# Start with a full set of capabilities in user namespaces.
+lxc.cap.drop =
+lxc.cap.keep =
+
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.tty.dir =
-- 
2.47.2