config/gentoo.moresecure.conf.in

   1 # This derives from the global common config
   2 lxc.include = @LXCTEMPLATECONFIG@/common.conf
   3
   4 # Gentoo security oriented default configuration
   5 # This is a more security oriented container configuration
   6 # "More" because this is far from fully secure
   7 # Looking for more working features and you trust your
   8 # Container user ? see gentoo.common.conf
   9
  10 # do not mount sysfs, see http://blog.bofh.it/debian/id_413
  11 lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid,create=dir 0 0
  12 lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,create=dir 0 0
  13 lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
  14
  15 # Capabilities
  16 # Uncomment these if you don't run anything that needs the capability, and
  17 # would like the container to run with less privilege.
  18 #
  19 # Dropping sys_admin disables container root from doing a lot of things
  20 # that could be bad like re-mounting lxc fstab entries rw for example,
  21 # but also disables some useful things like being able to nfs mount, and
  22 # things that are already namespaced with ns_capable() kernel checks, like
  23 # hostname(1).
  24 # lxc.cap.drop = sys_admin        # breaks systemd
  25 # lxc.cap.drop = net_raw          # breaks dhcp/ping
  26 # lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
  27 # lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
  28 # lxc.cap.drop = setuid           # breaks sshd,nfs statd
  29 # lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
  30 # lxc.cap.drop = audit_write
  31 # lxc.cap.drop = setpcap          # breaks journald
  32 # lxc.cap.drop = sys_resource     # breaks systemd
  33 # lxc.cap.drop = sys_boot         # breaks sysvinit
  34 lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
  35
  36 # WARNING: the security vulnerability reported for 'cap_net_admin' at
  37 # http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
  38 # via JIT spraying (the BPF JIT module disabled on most systems was used
  39 # in the example, but others are suggested vulnerable) meant that users
  40 # with root in a container, that capability and kernel module may escape
  41 # the container. ALWAYS be extremely careful granting any process root
  42 # within a container, use a minimal configuration at all levels -
  43 # including the kernel - and multiple layers of security on any system
  44 # where security is a priority.  note that not only LXC but PAX (and
  45 # others?) were vulnerable to this issue.