ubuntu template: disallow cap_sys_module (by popular demand)

This isn't particularly reassuring, and will be moot with user namespaces, but as people are asking for it, turn off sys_module. While we're at it, turn off mac_admin and mac_override. Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
author: Serge E. Hallyn <serge.hallyn@canonical.com> 2011-10-24 14:38:30 +0200
committer: Daniel Lezcano <daniel.lezcano@free.fr> 2011-10-24 14:38:30 +0200
commit: cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915 (patch)
tree: 4a564a63629cff1765d45011e5bb3837cda2dea5 /templates/lxc-ubuntu.in
parent: lxc-clone: fix dhclient.conf send hostname command (diff)
download: lxc-cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915.tar.gz
lxc-cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915.tar.bz2
lxc-cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915.zip
1 files changed, 1 insertions, 0 deletions
diff --git a/templates/lxc-ubuntu.in b/templates/lxc-ubuntu.in
index 9a41a49..05d71b9 100644
--- a/templates/lxc-ubuntu.in
+++ b/templates/lxc-ubuntu.in
@@ -179,6 +179,7 @@ lxc.pts = 1024
 lxc.rootfs = $rootfs
 lxc.mount  = $path/fstab
 lxc.arch = $arch
+lxc.cap.drop = sys_module mac_override mac_admin
 
 lxc.cgroup.devices.deny = a
 # /dev/null and zero
author	Serge E. Hallyn <serge.hallyn@canonical.com>	2011-10-24 14:38:30 +0200
committer	Daniel Lezcano <daniel.lezcano@free.fr>	2011-10-24 14:38:30 +0200
commit	cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915 (patch)
tree	4a564a63629cff1765d45011e5bb3837cda2dea5 /templates/lxc-ubuntu.in
parent	lxc-clone: fix dhclient.conf send hostname command (diff)
download	lxc-cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915.tar.gz lxc-cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915.tar.bz2 lxc-cdcee3c7ff56e3018bd73ddd1512dbe4cbcfa915.zip