From a08ca92cb5112693560c9b2d8454f49d56a23230 Mon Sep 17 00:00:00 2001
From: Matthijs Kooijman <matthijs@stdin.nl>
Date: Wed, 17 Aug 2011 14:44:45 +0200
Subject: [PATCH] lxc: Drop a bunch of capabilities in the template container

This should enhance the security of the containers a bit, but it's
certainly not foolproof yet and dropping these capabilities might have
side effects as well (some are a bit coarse-grained, like sys_admin).
---
 var/lib/lxc/template/config | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/var/lib/lxc/template/config b/var/lib/lxc/template/config
index 4a07164..0509ae6 100644
--- a/var/lib/lxc/template/config
+++ b/var/lib/lxc/template/config
@@ -53,3 +53,17 @@ lxc.cgroup.devices.allow = c 254:0 rwm
 # to the rootfs)
 lxc.mount.entry=proc proc proc nodev,noexec,nosuid 0 0
 lxc.mount.entry=sysfs sys sysfs defaults  0 0
+
+# Disallow module (un)loading
+lxc.cap.drop = sys_module
+# Disallow doing raw io
+lxc.cap.drop = sys_rawio
+# Disallow changing the clock
+lxc.cap.drop = sys_time
+# Disallow changing network settings
+lxc.cap.drop = net_admin
+# Disallow changing auditing settings
+lxc.cap.drop = audit_control
+# Disallow various admin tasks (probably has side-effects)
+lxc.cap.drop = sys_admin
+# sys_boot is always dropped by lxc-start
-- 
2.30.2