On Mon, Feb 7, 2011 at 4:53 AM, Andre Nathan <an...@digirati.com.br> wrote: > On Mon, 2011-02-07 at 10:27 -0200, Andre Nathan wrote: >> So far, for a container running apache and cron, plus the usual stuff >> (init, getty, login), I managed to drop these: >> >> audit_control, audit_write, fowner, fsetid, ipc_lock, ipc_owner, >> lease, linux_immutable, mac_admin, mac_override, mknod, net_raw, >> setfcap, setpcap, sys_admin, sys_boot, sys_module, sys_nice, >> sys_pacct, sys_ptrace, sys_rawio, sys_resource, sys_time, >> sys_tty_config >> >> So far everything seems to be working, but possibly some more will have >> to be removed from the list. > > Ping needs net_raw on Ubuntu. > >
In mycase, I need to disable some sysctl from container. For eg, sysctl -w kernel.randomize_va_space (for ASLR) Am still able to do the above after dropping SYS_ADMIN. How do I go about figuring capability vs functionality mapping. ~nirmal ------------------------------------------------------------------------------ The ultimate all-in-one performance toolkit: Intel(R) Parallel Studio XE: Pinpoint memory and threading errors before they happen. Find and fix more than 250 security defects in the development cycle. Locate bottlenecks in serial and parallel code that limit performance. http://p.sf.net/sfu/intel-dev2devfeb _______________________________________________ Lxc-users mailing list Lxc-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-users