This isn't particularly reassuring, and will be moot with user namespaces, but as people are asking for it, turn off sys_module. While we're at it, turn off mac_admin and mac_override.
Signed-off-by: Serge Hallyn <[email protected]> --- templates/lxc-ubuntu.in | 1 + 1 files changed, 1 insertions(+), 0 deletions(-) diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in index 9a41a49..05d71b9 100644 --- a/templates/lxc-ubuntu.in +++ b/templates/lxc-ubuntu.in @@ -179,6 +179,7 @@ lxc.pts = 1024 lxc.rootfs = $rootfs lxc.mount = $path/fstab lxc.arch = $arch +lxc.cap.drop = sys_module mac_override mac_admin lxc.cgroup.devices.deny = a # /dev/null and zero -- 1.7.5.4 ------------------------------------------------------------------------------ Doing More with Less: The Next Generation Virtual Desktop What are the key obstacles that have prevented many mid-market businesses from deploying virtual desktops? How do next-generation virtual desktops provide companies an easier-to-deploy, easier-to-manage and more affordable virtual desktop model.http://www.accelacomm.com/jaw/sfnl/114/51426474/ _______________________________________________ Lxc-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/lxc-users
