lxc 1.0.10-0ubuntu1.1 / usr / share / lxc / config / gentoo.moresecure.conf

This file is indexed.

/usr/share/lxc/config/gentoo.moresecure.conf is in lxc 1.0.10-0ubuntu1.1.

This file is owned by root:root, with mode 0o644.

The actual contents of the file can be viewed below. 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
# Gentoo security oriented default configuration
# This is a more security oriented container configuration
# "More" because this is far from fully secure
# Looking for more working features and you trust your
# Container user ? see gentoo.common.conf

# do not mount sysfs, see http://blog.bofh.it/debian/id_413
# lxc.mount.entry=sys sys sysfs rw 0 0
lxc.mount.entry=proc proc proc ro,nodev,noexec,nosuid 0 0
lxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid,create=dir 0 0
lxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime,create=dir 0 0
lxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0

# console access
lxc.pts = 1024

# this part is based on 'linux capabilities', see: man 7 capabilities
#  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
#
# WARNING: the security vulnerability reported for 'cap_net_admin' at
# http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
# via JIT spraying (the BPF JIT module disabled on most systems was used
# in the example, but others are suggested vulnerable) meant that users
# with root in a container, that capability and kernel module may escape
# the container. ALWAYS be extremely careful granting any process root
# within a container, use a minimal configuration at all levels -
# including the kernel - and multiple layers of security on any system
# where security is a priority.  note that not only LXC but PAX (and
# others?) were vulnerable to this issue.
#
# conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
# aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)

lxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog

# deny access to all devices by default, explicitly grant some permissions
#
# format is [c|b] [major|*]:[minor|*] [r][w][m]
#            ^     ^                   ^
# char/block -'     \`- device number    \`-- read, write, mknod
#
# first deny all...
lxc.cgroup.devices.deny = a
# /dev/null and zero
lxc.cgroup.devices.allow = c 1:3 rw
lxc.cgroup.devices.allow = c 1:5 rw
# /dev/{,u}random
lxc.cgroup.devices.allow = c 1:9 rw
lxc.cgroup.devices.allow = c 1:8 r
# /dev/pts/*
lxc.cgroup.devices.allow = c 136:* rw
lxc.cgroup.devices.allow = c 5:2 rw
# /dev/tty{0,1}
lxc.cgroup.devices.allow = c 4:1 rwm
lxc.cgroup.devices.allow = c 4:0 rwm
# /dev/tty
lxc.cgroup.devices.allow = c 5:0 rwm
# /dev/console
lxc.cgroup.devices.allow = c 5:1 rwm

# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp

APT Browse - Built by Thomas Orozco.