config: start with a full capability set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
lxc · Mar 1, 2018 · 5c0d54c · 5c0d54c
1 parent 4cb5384
commit 5c0d54c
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
@@ -2,5 +2,9 @@
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 
+# Start with a full set of capabilities in user namespaces.
+lxc.cap.drop =
+lxc.cap.keep =
+
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.tty.dir =