config/templates/openwrt.common.conf.in

   1 # Default console settings
   2 lxc.devttydir = lxc
   3 lxc.tty = 4
   4 lxc.pts = 1024
   5
   6 # Default capabilities
   7 lxc.cap.drop = mac_admin
   8 lxc.cap.drop = mac_override
   9 lxc.cap.drop = sys_admin
  10 lxc.cap.drop = sys_module
  11 lxc.cap.drop = sys_nice
  12 lxc.cap.drop = sys_pacct
  13 lxc.cap.drop = sys_ptrace
  14 lxc.cap.drop = sys_rawio
  15 lxc.cap.drop = sys_resource
  16 lxc.cap.drop = sys_time
  17 lxc.cap.drop = sys_tty_config
  18 lxc.cap.drop = syslog
  19 lxc.cap.drop = wake_alarm
  20
  21 # Default cgroups - all denied except those whitelisted
  22 lxc.cgroup.devices.deny = a
  23 ## /dev/null and zero
  24 lxc.cgroup.devices.allow = c 1:3 rwm
  25 lxc.cgroup.devices.allow = c 1:5 rwm
  26 ## consoles
  27 lxc.cgroup.devices.allow = c 5:0 rwm
  28 lxc.cgroup.devices.allow = c 5:1 rwm
  29 ## /dev/{,u}random
  30 lxc.cgroup.devices.allow = c 1:8 rwm
  31 lxc.cgroup.devices.allow = c 1:9 rwm
  32 ## /dev/pts/*
  33 lxc.cgroup.devices.allow = c 5:2 rwm
  34 lxc.cgroup.devices.allow = c 136:* rwm
  35 ## rtc
  36 lxc.cgroup.devices.allow = c 254:0 rm
  37 ## tun
  38 lxc.cgroup.devices.allow = c 10:200 rwm
  39 ## dev/tty0
  40 lxc.cgroup.devices.allow = c 4:0 rwm
  41 ## dev/tty1
  42 lxc.cgroup.devices.allow = c 4:1 rwm
  43
  44 ## To use loop devices, copy the following line to the container's
  45 ## configuration file (uncommented).
  46 #lxc.cgroup.devices.allow = b 7:* rwm
  47
  48 # Blacklist some syscalls which are not safe in privileged
  49 # containers
  50 lxc.seccomp = /usr/share/lxc/config/common.seccomp