1 # Default console settings
7 lxc.cap.drop = mac_admin
8 lxc.cap.drop = mac_override
9 lxc.cap.drop = sys_admin
10 lxc.cap.drop = sys_module
11 lxc.cap.drop = sys_nice
12 lxc.cap.drop = sys_pacct
13 lxc.cap.drop = sys_ptrace
14 lxc.cap.drop = sys_rawio
15 lxc.cap.drop = sys_resource
16 lxc.cap.drop = sys_time
17 lxc.cap.drop = sys_tty_config
19 lxc.cap.drop = wake_alarm
21 # Default cgroups - all denied except those whitelisted
22 lxc.cgroup.devices.deny = a
24 lxc.cgroup.devices.allow = c 1:3 rwm
25 lxc.cgroup.devices.allow = c 1:5 rwm
27 lxc.cgroup.devices.allow = c 5:0 rwm
28 lxc.cgroup.devices.allow = c 5:1 rwm
30 lxc.cgroup.devices.allow = c 1:8 rwm
31 lxc.cgroup.devices.allow = c 1:9 rwm
33 lxc.cgroup.devices.allow = c 5:2 rwm
34 lxc.cgroup.devices.allow = c 136:* rwm
36 lxc.cgroup.devices.allow = c 254:0 rm
38 lxc.cgroup.devices.allow = c 10:200 rwm
40 lxc.cgroup.devices.allow = c 4:0 rwm
42 lxc.cgroup.devices.allow = c 4:1 rwm
44 ## To use loop devices, copy the following line to the container's
45 ## configuration file (uncommented).
46 #lxc.cgroup.devices.allow = b 7:* rwm
48 # Blacklist some syscalls which are not safe in privileged
50 lxc.seccomp = /usr/share/lxc/config/common.seccomp