lxc: Drop a bunch of capabilities in the template container

This should enhance the security of the containers a bit, but it's
certainly not foolproof yet and dropping these capabilities might have
side effects as well (some are a bit coarse-grained, like sys_admin).

diff --git a/var/lib/lxc/template/config b/var/lib/lxc/template/config
index 4a071648d7eb3388791292241615a884a2404893..0509ae6e49d6b90e50a783e19adbdf1d8ed25fa2 100644 (file)
--- a/var/lib/lxc/template/config
+++ b/var/lib/lxc/template/config
@@ -53,3 +53,17 @@ lxc.cgroup.devices.allow = c 254:0 rwm
 # to the rootfs)
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry=sysfs sys sysfs defaults  0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start