The following pull request was submitted through Github.
It can be accessed and reviewed at:

This e-mail was sent by the LXC bot, direct replies will not reach the author
unless they happen to be subscribed to this list.

=== Description (from pull-request) ===
@brauner I’m not entirely sure about this, could you please answer me two questions?

1. Am I right that `setfcap` is not a security risk, i.e. it cannot be abused to escape from container to the host system?
2. Is it true that `setcap` cannot work in unprivileged containers (i.e. containers that uses user namespace) anyway, only in privileged ones?
From 64365bc2e95b8a62223d65c160215a465b1b8c03 Mon Sep 17 00:00:00 2001
From: Jakub Jirutka <>
Date: Tue, 18 Oct 2016 18:09:42 +0200
Subject: [PATCH] lxc-alpine: do not drop setfcap

Signed-off-by: Jakub Jirutka <>
 config/templates/ | 1 -
 1 file changed, 1 deletion(-)

diff --git a/config/templates/ 
index 1be61f7..b344426 100644
--- a/config/templates/
+++ b/config/templates/
@@ -8,7 +8,6 @@ lxc.devttydir =
 lxc.cap.drop = audit_write
 lxc.cap.drop = ipc_owner
 lxc.cap.drop = mknod
-lxc.cap.drop = setfcap
 lxc.cap.drop = setpcap
 lxc.cap.drop = sys_nice
 lxc.cap.drop = sys_pacct
lxc-devel mailing list

Reply via email to