X-Git-Url: https://git.stderr.nl/gitweb?a=blobdiff_plain;f=var%2Flib%2Flxc%2Ftemplate%2Fconfig;h=c891c663c6f1336c1b4101c72ee34d6fdb87b58d;hb=76fe437947a130ecef66cf9f3c396db15f764dfc;hp=4a071648d7eb3388791292241615a884a2404893;hpb=b77df5e1630acf8e98af7073009adfec001d0a17;p=matthijs%2Fservers%2Ftika.git

diff --git a/var/lib/lxc/template/config b/var/lib/lxc/template/config
index 4a07164..c891c66 100644
--- a/var/lib/lxc/template/config
+++ b/var/lib/lxc/template/config
@@ -1,5 +1,5 @@
 # Hostname
-lxc.utsname = template
+lxc.utsname = template.local
 
 # Use this root filesystem
 lxc.rootfs = /containers/template
@@ -50,6 +50,22 @@ lxc.cgroup.devices.allow = c 5:2 rwm
 lxc.cgroup.devices.allow = c 254:0 rwm
 
 # mounts (note that the second item in each list is the mount point, relative
-# to the rootfs)
+ to the rootfs)
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry=sysfs sys sysfs defaults  0 0
+lxc.mount.entry=/data/users data/users none defaults,bind 0 0
+lxc.mount.entry=/etc/skel etc/skel none defaults,bind,ro 0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start