config: start with a full capability set

Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>

diff --git a/config/templates/userns.conf.in b/config/templates/userns.conf.in
index be4fbbc6beee06524597e9b45b7d49416aa19fc2..967576b4c83210a0f6601e0f77173931a58f796f 100644 (file)
--- a/config/templates/userns.conf.in
+++ b/config/templates/userns.conf.in
@@ -2,5 +2,9 @@
 lxc.cgroup.devices.deny =
 lxc.cgroup.devices.allow =
 
+# Start with a full set of capabilities in user namespaces.
+lxc.cap.drop =
+lxc.cap.keep =
+
 # We can't move bind-mounts, so don't use /dev/lxc/
 lxc.tty.dir =