This should enhance the security of the containers a bit, but it's
certainly not foolproof yet and dropping these capabilities might have
side effects as well (some are a bit coarse-grained, like sys_admin).
# to the rootfs)
lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry=sysfs sys sysfs defaults 0 0
# to the rootfs)
lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
lxc.mount.entry=sysfs sys sysfs defaults 0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start