Ubuntu template: some tweaks

Allow mknod (fixing udev upgrades) and drop mac_override and mac_admin
from lxc.cap.drop as apparmor has/will have support for namespaces

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 4f44b0303ef915abd57d1b7e481d52ab737d8173..2be868001f725ff213db2677f78515fa5f4d812e 100644 (file)
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,9 +179,12 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
-lxc.cap.drop = sys_module mac_override mac_admin
+lxc.cap.drop = sys_module
 
 lxc.cgroup.devices.deny = a
+# Allow any mknod (but not using the node)
+lxc.cgroup.devices.allow = c *:* m
+lxc.cgroup.devices.allow = b *:* m
 # /dev/null and zero
 lxc.cgroup.devices.allow = c 1:3 rwm
 lxc.cgroup.devices.allow = c 1:5 rwm