From e83ec894936775c6d8f238c1c5ba21e7bfa9574e Mon Sep 17 00:00:00 2001
From: Silvio Rhatto <rhatto@riseup.net>
Date: Thu, 4 Jan 2018 14:36:37 -0200
Subject: Disables kernel.unprivileged_userns_clone at
 virtual::lxc::unprivileged

---
 manifests/lxc/unprivileged.pp | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/manifests/lxc/unprivileged.pp b/manifests/lxc/unprivileged.pp
index 6f187a5..d980192 100644
--- a/manifests/lxc/unprivileged.pp
+++ b/manifests/lxc/unprivileged.pp
@@ -9,12 +9,14 @@ class virtual::lxc::unprivileged {
     ensure => present,
   }
 
+  # Disabled, see https://www.debian.org/security/2017/dsa-4073
   file { "/etc/sysctl.d/80-lxc-userns.conf":
     owner   => "root",
     group   => "root",
     mode    => '0644',
     ensure  => present,
-    content => "kernel.unprivileged_userns_clone=1\n",
+    #content => "kernel.unprivileged_userns_clone=!\n",
+    content => "kernel.unprivileged_userns_clone=0\n",
   }
 
   exec { "sysctl --system":
-- 
cgit v1.2.3