+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start