On Dec 30, Alex Mestiashvili <ames...@rsh2.donotuse.de> wrote: > AFAIK there is no way drop some capabilities with systemd geared linux > containers while it is possible with sysvinit. Here it is: no CAP_SYS_ADMIN.
# cat /etc/systemd/nspawn/secure.nspawn [Exec] DropCapability=CAP_AUDIT_CONTROL CAP_MKNOD CAP_NET_RAW CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYSLOG CAP_WAKE_ALARM CAP_SYS_ADMIN [Files] TemporaryFileSystem=/run/lock -- ciao, Marco
signature.asc
Description: PGP signature
