Merge pull request #1544 from brauner/2017-05-08/harden_console_handling

[mirror_lxc.git] / config / templates / common.conf.in

# Default configuration shared by all containers

# Setup the LXC devices in /dev/lxc/
lxc.devttydir = lxc

# Allow for 1024 pseudo terminals
lxc.pts = 1024

# Setup 4 tty devices
lxc.tty = 4

# Drop some harmful capabilities
lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio

# Set the pivot directory
lxc.pivotdir = lxc_putold

# Ensure hostname is changed on clone
lxc.hook.clone = @LXCHOOKDIR@/clonehostname

# CGroup whitelist
lxc.cgroup.devices.deny = a
## Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## Allow specific devices
### /dev/null
lxc.cgroup.devices.allow = c 1:3 rwm
### /dev/zero
lxc.cgroup.devices.allow = c 1:5 rwm
### /dev/full
lxc.cgroup.devices.allow = c 1:7 rwm
### /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
### /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm
### /dev/ptmx
lxc.cgroup.devices.allow = c 5:2 rwm
### /dev/random
lxc.cgroup.devices.allow = c 1:8 rwm
### /dev/urandom
lxc.cgroup.devices.allow = c 1:9 rwm
### /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rwm
### fuse
lxc.cgroup.devices.allow = c 10:229 rwm

# Setup the default mounts
lxc.mount.auto = cgroup:mixed proc:mixed sys:mixed
lxc.mount.entry = /sys/fs/fuse/connections sys/fs/fuse/connections none bind,optional 0 0

# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = @LXCTEMPLATECONFIG@/common.seccomp

# Lastly, include all the configs from @LXCTEMPLATECONFIG@/common.conf.d/
lxc.include = @LXCTEMPLATECONFIG@/common.conf.d/