Thanks for the suggestion, Soren. This was just mentioned in irc as well. As there is no pretense of security against root in the container right now, this isn't particularly important, so I'll send a patch upstream, but we may just wait for upstream to take the patch. If we are able to start using user namespaces for p, then it'll be moot since module insertion checks are targeted at the initial user namespace.
Libvirt does it by default, but as with devices cgroup entries, offers no flexibility about it. ** Changed in: lxc (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/850687 Title: Should disable cap_module by default To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/lxc/+bug/850687/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs