[mirror_lxc.git] / config / templates / gentoo.common.conf.in

# Gentoo common default configuration
# This is the most feature-full container configuration
# But security is not the goal.
# Looking for more security, see gentoo.common.conf

# sysfs
lxc.mount.entry=sys sys sysfs defaults 0 0

# console access
lxc.pts = 1024

# this part is based on 'linux capabilities', see: man 7 capabilities
#  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)

lxc.cap.drop = sys_module mac_admin mac_override sys_time

# deny access to all devices by default, explicitly grant some permissions
#
# format is [c|b] [major|*]:[minor|*] [r][w][m]
#            ^     ^                   ^
# char/block -'     \`- device number    \`-- read, write, mknod
#
# first deny all...
lxc.cgroup.devices.deny = a
## Allow any mknod (but not using the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
## /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rwm
lxc.cgroup.devices.allow = c 1:5 rwm
## consoles
lxc.cgroup.devices.allow = c 5:0 rwm
lxc.cgroup.devices.allow = c 5:1 rwm
## /dev/{,u}random
lxc.cgroup.devices.allow = c 1:8 rwm
lxc.cgroup.devices.allow = c 1:9 rwm
## /dev/pts/*
lxc.cgroup.devices.allow = c 5:2 rwm
lxc.cgroup.devices.allow = c 136:* rwm
## rtc
lxc.cgroup.devices.allow = c 254:0 rm
## fuse
lxc.cgroup.devices.allow = c 10:229 rwm
## tun
lxc.cgroup.devices.allow = c 10:200 rwm
## full
lxc.cgroup.devices.allow = c 1:7 rwm
## hpet
lxc.cgroup.devices.allow = c 10:228 rwm
## kvm
lxc.cgroup.devices.allow = c 10:232 rwm
## To use loop devices, copy the following line to the container's
## configuration file (uncommented).
#lxc.cgroup.devices.allow = b 7:* rwm
Commit	Line	Data
cae3584e	1	# Gentoo common default configuration
	2	# This is the most feature-full container configuration
	3	# But security is not the goal.
1609f0fb	4	# Looking for more security, see gentoo.common.conf
cae3584e	5
	6	# sysfs
	7	lxc.mount.entry=sys sys sysfs defaults 0 0
	8
	9	# console access
	10	lxc.pts = 1024
	11
	12	# this part is based on 'linux capabilities', see: man 7 capabilities
	13	# eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
	14
	15	lxc.cap.drop = sys_module mac_admin mac_override sys_time
	16
	17	# deny access to all devices by default, explicitly grant some permissions
	18	#
	19	# format is [c\|b] [major\|]:[minor\|] [r][w][m]
	20	# ^ ^ ^
	21	# char/block -' \`- device number \`-- read, write, mknod
	22	#
	23	# first deny all...
	24	lxc.cgroup.devices.deny = a
	25	## Allow any mknod (but not using the node)
	26	lxc.cgroup.devices.allow = c : m
	27	lxc.cgroup.devices.allow = b : m
	28	## /dev/null and zero
	29	lxc.cgroup.devices.allow = c 1:3 rwm
	30	lxc.cgroup.devices.allow = c 1:5 rwm
	31	## consoles
	32	lxc.cgroup.devices.allow = c 5:0 rwm
	33	lxc.cgroup.devices.allow = c 5:1 rwm
	34	## /dev/{,u}random
	35	lxc.cgroup.devices.allow = c 1:8 rwm
	36	lxc.cgroup.devices.allow = c 1:9 rwm
	37	## /dev/pts/*
	38	lxc.cgroup.devices.allow = c 5:2 rwm
	39	lxc.cgroup.devices.allow = c 136:* rwm
	40	## rtc
	41	lxc.cgroup.devices.allow = c 254:0 rm
	42	## fuse
	43	lxc.cgroup.devices.allow = c 10:229 rwm
	44	## tun
	45	lxc.cgroup.devices.allow = c 10:200 rwm
	46	## full
	47	lxc.cgroup.devices.allow = c 1:7 rwm
	48	## hpet
	49	lxc.cgroup.devices.allow = c 10:228 rwm
	50	## kvm
	51	lxc.cgroup.devices.allow = c 10:232 rwm
	52	## To use loop devices, copy the following line to the container's
	53	## configuration file (uncommented).
	54	#lxc.cgroup.devices.allow = b 7:* rwm