From cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915 Mon Sep 17 00:00:00 2001
From: "Serge E. Hallyn" <serge.hallyn@canonical.com>
Date: Mon, 24 Oct 2011 14:38:30 +0200
Subject: [PATCH] ubuntu template: disallow cap_sys_module (by popular demand)

This isn't particularly reassuring, and will be moot with user
namespaces, but as people are asking for it, turn off sys_module.
While we're at it, turn off mac_admin and mac_override.

Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com>
Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
 templates/lxc-ubuntu.in | 1 +
 1 file changed, 1 insertion(+)

diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 9a41a4976..05d71b99d 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,6 +179,7 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
+lxc.cap.drop = sys_module mac_override mac_admin
 
 lxc.cgroup.devices.deny = a
 # /dev/null and zero