On Dec 30, Alex Mestiashvili <amestia@rsh2.donotuse.de> wrote: > AFAIK there is no way drop some capabilities with systemd geared linux > containers while it is possible with sysvinit. Here it is: no CAP_SYS_ADMIN. # cat /etc/systemd/nspawn/secure.nspawn [Exec] DropCapability=CAP_AUDIT_CONTROL CAP_MKNOD CAP_NET_RAW CAP_SYS_MODULE CAP_SYS_RAWIO CAP_SYS_TIME CAP_SYSLOG CAP_WAKE_ALARM CAP_SYS_ADMIN [Files] TemporaryFileSystem=/run/lock -- ciao, Marco
Attachment:
signature.asc
Description: PGP signature