proxmox-mirrors/mirror_lxc
1
0
Fork 0
mirror of https://git.proxmox.com/git/mirror_lxc synced 2025-08-03 21:21:39 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

ubuntu template: disallow cap_sys_module (by popular demand)

Browse Source 
This isn't particularly reassuring, and will be moot with user
namespaces, but as people are asking for it, turn off sys_module.
While we're at it, turn off mac_admin and mac_override.

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
This commit is contained in:
Serge E. Hallyn 2011-10-24 14:38:30 +02:00 committed by Daniel Lezcano
parent 0f3fe9e0b5
commit cdcee3c7ff
1 changed files with 1 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
templates/lxc-ubuntu.in
View File

@ -179,6 +179,7 @@ lxc.pts = 1024
lxc.rootfs = $rootfs
lxc.mount = $path/fstab
lxc.arch = $arch
lxc.cap.drop = sys_module mac_override mac_admin
lxc.cgroup.devices.deny = a
# /dev/null and zero