Quoting Michele Giacomoli ([email protected]): > Thank you, > So, as result, there is no way to keep capabilities for unprivileged > containers, and lxc.cap.drop/keep in this case are pretty useless. > Am I right?
There's no way to keep capabilities targeted at the host. If for whatever reason you want to drop capabilities toward the container itself, you can still use lxc.cap.*, but I don't know of anyone doing that. (It could in fact be a way to prevent some of the otherwise increased kernel surface area) _______________________________________________ lxc-users mailing list [email protected] http://lists.linuxcontainers.org/listinfo/lxc-users
