mirror of
https://github.com/lxc/lxc-templates.git
synced 2024-12-23 06:50:13 +00:00
46 lines
2.5 KiB
Plaintext
46 lines
2.5 KiB
Plaintext
|
# This derives from the global common config
|
||
|
lxc.include = @LXCTEMPLATECONFIG@/common.conf
|
||
|
|
||
|
# Gentoo security oriented default configuration
|
||
|
# This is a more security oriented container configuration
|
||
|
# "More" because this is far from fully secure
|
||
|
# Looking for more working features and you trust your
|
||
|
# Container user ? see gentoo.common.conf
|
||
|
|
||
|
# do not mount sysfs, see http://blog.bofh.it/debian/id_413
|
||
|
lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid,create=dir 0 0
|
||
|
lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,create=dir 0 0
|
||
|
lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
|
||
|
|
||
|
# Capabilities
|
||
|
# Uncomment these if you don't run anything that needs the capability, and
|
||
|
# would like the container to run with less privilege.
|
||
|
#
|
||
|
# Dropping sys_admin disables container root from doing a lot of things
|
||
|
# that could be bad like re-mounting lxc fstab entries rw for example,
|
||
|
# but also disables some useful things like being able to nfs mount, and
|
||
|
# things that are already namespaced with ns_capable() kernel checks, like
|
||
|
# hostname(1).
|
||
|
# lxc.cap.drop = sys_admin # breaks systemd
|
||
|
# lxc.cap.drop = net_raw # breaks dhcp/ping
|
||
|
# lxc.cap.drop = setgid # breaks login (initgroups/setgroups)
|
||
|
# lxc.cap.drop = dac_read_search # breaks login (pam unix_chkpwd)
|
||
|
# lxc.cap.drop = setuid # breaks sshd,nfs statd
|
||
|
# lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed)
|
||
|
# lxc.cap.drop = audit_write
|
||
|
# lxc.cap.drop = setpcap # breaks journald
|
||
|
# lxc.cap.drop = sys_resource # breaks systemd
|
||
|
# lxc.cap.drop = sys_boot # breaks sysvinit
|
||
|
lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mknod setfcap setpcap sys_admin sys_nice sys_pacct sys_ptrace sys_rawio sys_resource sys_tty_config syslog
|
||
|
|
||
|
# WARNING: the security vulnerability reported for 'cap_net_admin' at
|
||
|
# http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
|
||
|
# via JIT spraying (the BPF JIT module disabled on most systems was used
|
||
|
# in the example, but others are suggested vulnerable) meant that users
|
||
|
# with root in a container, that capability and kernel module may escape
|
||
|
# the container. ALWAYS be extremely careful granting any process root
|
||
|
# within a container, use a minimal configuration at all levels -
|
||
|
# including the kernel - and multiple layers of security on any system
|
||
|
# where security is a priority. note that not only LXC but PAX (and
|
||
|
# others?) were vulnerable to this issue.
|