Add note about lxc.cap.keep > lxc.cap.drop

2022-11-09 12:21:53 -05:00 · 2013-06-20 00:39:35 +07:00 · 2013-06-20 00:39:35 +07:00 · 788d66f409
commit 788d66f409
parent 96988a37f5
1 changed files with 3 additions and 0 deletions
--- a/lxc_template.go
+++ b/lxc_template.go
@ -90,6 +90,9 @@ lxc.mount.entry = {{$realPath}} {{$ROOTFS}}/{{$virtualPath}} none bind,rw 0 0
 {{end}}

 # drop linux capabilities (apply mainly to the user root in the container)
+#  (Note: 'lxc.cap.keep' is coming soon and should replace this under the
+#         security principle 'deny all unless explicitly permitted', see
+#         http://sourceforge.net/mailarchive/message.php?msg_id=31054627 )
 lxc.cap.drop = audit_control audit_write mac_admin mac_override mknod setfcap setpcap sys_admin sys_boot sys_module sys_nice sys_pacct sys_rawio sys_resource sys_time sys_tty_config

 # limits