From a9dc3cc4be70fc5233c67b52d5ec4461ae351bc4 Mon Sep 17 00:00:00 2001 From: Adam Boardman Date: Thu, 31 Dec 2020 17:44:56 +0000 Subject: [PATCH] Adding more of lxc3 config bits and bobs that might be useful --- var/lib/lxc/android/config | 67 ++++++++++++++++++++++++++++++++++---- 1 file changed, 60 insertions(+), 7 deletions(-) diff --git a/var/lib/lxc/android/config b/var/lib/lxc/android/config index d330380..c86c3c8 100644 --- a/var/lib/lxc/android/config +++ b/var/lib/lxc/android/config @@ -1,12 +1,21 @@ -lxc.rootfs.path = /var/lib/lxc/android/rootfs -#lxc.net.0.type = none +lxc.net.0.type = none -#lxc.devttydir = lxc -#lxc.tty = 4 -#lxc.pts = 1024 -#lxc.arch = arm64 -#lxc.cap.drop = mac_admin mac_override +lxc.rootfs.path = dir:/var/lib/lxc/android/rootfs + +#lxc.tty.dir = lxc +lxc.tty.dir = +lxc.tty.max = 4 +lxc.pty.max = 1024 +lxc.arch = arm64 + +# Drop some harmful capabilities +lxc.cap.drop = mac_admin mac_override sys_time sys_module sys_rawio + +# Blacklist some syscalls which are not safe in privileged containers +lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp + +# Appears to be removed in latest lxc versions #lxc.pivotdir = lxc_putold lxc.hook.pre-start = /var/lib/lxc/android/pre-start.sh @@ -17,6 +26,50 @@ lxc.hook.pre-start = /var/lib/lxc/android/pre-start.sh lxc.apparmor.profile = unconfined lxc.autodev = 0 +# CGroup whitelist +lxc.cgroup.devices.deny = a +## Allow any mknod (but not reading/writing the node) +lxc.cgroup.devices.allow = c *:* m +lxc.cgroup.devices.allow = b *:* m +## Allow specific devices +### /dev/null +lxc.cgroup.devices.allow = c 1:3 rwm +### /dev/zero +lxc.cgroup.devices.allow = c 1:5 rwm +### /dev/full +lxc.cgroup.devices.allow = c 1:7 rwm +### /dev/tty +lxc.cgroup.devices.allow = c 5:0 rwm +### /dev/console +lxc.cgroup.devices.allow = c 5:1 rwm +### /dev/ptmx +lxc.cgroup.devices.allow = c 5:2 rwm +### /dev/random +lxc.cgroup.devices.allow = c 1:8 rwm +### /dev/urandom +lxc.cgroup.devices.allow = c 1:9 rwm +### /dev/pts/* +lxc.cgroup.devices.allow = c 136:* rwm +### fuse +lxc.cgroup.devices.allow = c 10:229 rwm + +# Extra cgroup device access +## rtc +lxc.cgroup.devices.allow = c 254:0 rm +## tun +lxc.cgroup.devices.allow = c 10:200 rwm +## hpet +lxc.cgroup.devices.allow = c 10:228 rwm +## kvm +lxc.cgroup.devices.allow = c 10:232 rwm +## To use loop devices, copy the following line to the container's +## configuration file (uncommented). +#lxc.cgroup.devices.allow = b 7:* rwm + +lxc.hook.mount = /usr/share/lxcfs/lxc.mount.hook +lxc.hook.post-stop = /usr/share/lxcfs/lxc.reboot.hook + + #lxc.mount.entry = tmpfs dev tmpfs nosuid 0 0 #lxc.mount.entry = /dev/__properties__ dev/__properties__ bind bind,create=dir 0 0 #lxc.mount.entry = /dev/socket dev/socket bind bind,create=dir 0 0