|
|
@ -0,0 +1,78 @@ |
|
|
|
--- /dev/null
|
|
|
|
+++ b/config/templates/openwrt.common.conf.in
|
|
|
|
@@ -0,0 +1,56 @@
|
|
|
|
+# Default mount entries
|
|
|
|
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
|
|
|
|
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
|
|
|
|
+
|
|
|
|
+# Default console settings
|
|
|
|
+lxc.devttydir = lxc
|
|
|
|
+lxc.tty = 4
|
|
|
|
+lxc.pts = 1024
|
|
|
|
+
|
|
|
|
+# Default capabilities
|
|
|
|
+lxc.cap.drop = mac_admin
|
|
|
|
+lxc.cap.drop = mac_override
|
|
|
|
+lxc.cap.drop = sys_admin
|
|
|
|
+lxc.cap.drop = sys_module
|
|
|
|
+lxc.cap.drop = sys_nice
|
|
|
|
+lxc.cap.drop = sys_pacct
|
|
|
|
+lxc.cap.drop = sys_ptrace
|
|
|
|
+lxc.cap.drop = sys_rawio
|
|
|
|
+lxc.cap.drop = sys_resource
|
|
|
|
+lxc.cap.drop = sys_time
|
|
|
|
+lxc.cap.drop = sys_tty_config
|
|
|
|
+lxc.cap.drop = syslog
|
|
|
|
+lxc.cap.drop = wake_alarm
|
|
|
|
+
|
|
|
|
+# Default cgroups - all denied except those whitelisted
|
|
|
|
+lxc.cgroup.devices.deny = a
|
|
|
|
+## /dev/null and zero
|
|
|
|
+lxc.cgroup.devices.allow = c 1:3 rwm
|
|
|
|
+lxc.cgroup.devices.allow = c 1:5 rwm
|
|
|
|
+## consoles
|
|
|
|
+lxc.cgroup.devices.allow = c 5:0 rwm
|
|
|
|
+lxc.cgroup.devices.allow = c 5:1 rwm
|
|
|
|
+## /dev/{,u}random
|
|
|
|
+lxc.cgroup.devices.allow = c 1:8 rwm
|
|
|
|
+lxc.cgroup.devices.allow = c 1:9 rwm
|
|
|
|
+## /dev/pts/*
|
|
|
|
+lxc.cgroup.devices.allow = c 5:2 rwm
|
|
|
|
+lxc.cgroup.devices.allow = c 136:* rwm
|
|
|
|
+## rtc
|
|
|
|
+lxc.cgroup.devices.allow = c 254:0 rm
|
|
|
|
+## fuse
|
|
|
|
+lxc.cgroup.devices.allow = c 10:229 rwm
|
|
|
|
+## tun
|
|
|
|
+lxc.cgroup.devices.allow = c 10:200 rwm
|
|
|
|
+## dev/tty0
|
|
|
|
+lxc.cgroup.devices.allow = c 4:0 rwm
|
|
|
|
+## dev/tty1
|
|
|
|
+lxc.cgroup.devices.allow = c 4:1 rwm
|
|
|
|
+
|
|
|
|
+## To use loop devices, copy the following line to the container's
|
|
|
|
+## configuration file (uncommented).
|
|
|
|
+#lxc.cgroup.devices.allow = b 7:* rwm
|
|
|
|
+
|
|
|
|
+# Blacklist some syscalls which are not safe in privileged
|
|
|
|
+# containers
|
|
|
|
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
|
|
|
|
--- a/configure.ac
|
|
|
|
+++ b/configure.ac
|
|
|
|
@@ -579,6 +579,7 @@ AC_CONFIG_FILES([
|
|
|
|
config/templates/ubuntu.common.conf |
|
|
|
config/templates/ubuntu.lucid.conf |
|
|
|
config/templates/ubuntu.userns.conf |
|
|
|
+ config/templates/openwrt.common.conf
|
|
|
|
config/yum/Makefile |
|
|
|
|
|
|
|
doc/Makefile |
|
|
|
--- a/config/templates/Makefile.am
|
|
|
|
+++ b/config/templates/Makefile.am
|
|
|
|
@@ -22,4 +22,5 @@ templatesconfig_DATA = \
|
|
|
|
ubuntu-cloud.userns.conf \ |
|
|
|
ubuntu.common.conf \ |
|
|
|
ubuntu.lucid.conf \ |
|
|
|
- ubuntu.userns.conf
|
|
|
|
+ ubuntu.userns.conf \
|
|
|
|
+ openwrt.common.conf
|