From: Matthijs Kooijman Date: Wed, 17 Aug 2011 12:44:45 +0000 (+0200) Subject: lxc: Drop a bunch of capabilities in the template container X-Git-Url: https://git.stderr.nl/gitweb?a=commitdiff_plain;h=a08ca92cb5112693560c9b2d8454f49d56a23230;p=matthijs%2Fservers%2Ftika.git lxc: Drop a bunch of capabilities in the template container This should enhance the security of the containers a bit, but it's certainly not foolproof yet and dropping these capabilities might have side effects as well (some are a bit coarse-grained, like sys_admin). --- diff --git a/var/lib/lxc/template/config b/var/lib/lxc/template/config index 4a07164..0509ae6 100644 --- a/var/lib/lxc/template/config +++ b/var/lib/lxc/template/config @@ -53,3 +53,17 @@ lxc.cgroup.devices.allow = c 254:0 rwm # to the rootfs) lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0 lxc.mount.entry=sysfs sys sysfs defaults 0 0 + +# Disallow module (un)loading +lxc.cap.drop = sys_module +# Disallow doing raw io +lxc.cap.drop = sys_rawio +# Disallow changing the clock +lxc.cap.drop = sys_time +# Disallow changing network settings +lxc.cap.drop = net_admin +# Disallow changing auditing settings +lxc.cap.drop = audit_control +# Disallow various admin tasks (probably has side-effects) +lxc.cap.drop = sys_admin +# sys_boot is always dropped by lxc-start