From 218f99322c78b7788c0eff1997f95d135741e480 Mon Sep 17 00:00:00 2001
From: Serge Hallyn <serge.hallyn@ubuntu.com>
Date: Fri, 19 Dec 2014 18:23:52 +0000
Subject: [PATCH] Enable seccomp by default for unprivileged users.
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In contrast to what the comment above the line disabling it said,
it seems to work just fine.  It also is needed on current kernels
(until Eric's patch hits upstream) to prevent unprivileged containers
from hosing fuse filesystems they inherit.

Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com>
Acked-by: Stéphane Graber <stgraber@ubuntu.com>
---
 config/templates/userns.conf.in | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index 2d9d7d501..5dc19c72c 100644
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -13,7 +13,3 @@ lxc.mount.entry = /dev/random dev/random none bind,create=file 0 0
 lxc.mount.entry = /dev/tty dev/tty none bind,create=file 0 0
 lxc.mount.entry = /dev/urandom dev/urandom none bind,create=file 0 0
 lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
-
-# Default seccomp policy is not needed for unprivileged containers, and
-# non-root users cannot use seccmp without NNP anyway.
-lxc.seccomp =