diff --git a/config/alpine.common.conf.in b/config/alpine.common.conf.in index 1c4cf81..550ada8 100644 --- a/config/alpine.common.conf.in +++ b/config/alpine.common.conf.in @@ -8,7 +8,6 @@ lxc.tty.dir = lxc.cap.drop = audit_write lxc.cap.drop = ipc_owner lxc.cap.drop = mknod -lxc.cap.drop = setpcap lxc.cap.drop = sys_nice lxc.cap.drop = sys_pacct lxc.cap.drop = sys_rawio diff --git a/config/archlinux.common.conf.in b/config/archlinux.common.conf.in index bebd7ad..81d6548 100644 --- a/config/archlinux.common.conf.in +++ b/config/archlinux.common.conf.in @@ -27,3 +27,5 @@ lxc.signal.halt=SIGRTMIN+4 # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd +# +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio diff --git a/config/centos.common.conf.in b/config/centos.common.conf.in index a463e42..8a72ad0 100644 --- a/config/centos.common.conf.in +++ b/config/centos.common.conf.in @@ -17,3 +17,4 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # lxc.cap.drop = setuid # breaks sshd,nfs statd # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write +lxc.cap.drop = sys_nice sys_pacct sys_rawio diff --git a/config/devuan.common.conf.in b/config/devuan.common.conf.in new file mode 100644 index 0000000..4e6a6e6 --- /dev/null +++ b/config/devuan.common.conf.in @@ -0,0 +1,28 @@ +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf + +# Doesn't support consoles in /dev/lxc/ +lxc.tty.dir = + +# When using LXC with apparmor, the container will be confined by default. +# If you wish for it to instead run unconfined, copy the following line +# (uncommented) to the container's configuration file. +#lxc.apparmor.profile = unconfined + +# If you wish to allow mounting block filesystems, then use the following +# line instead, and make sure to grant access to the block device and/or loop +# devices below in lxc.cgroup.devices.allow. +#lxc.apparmor.profile = lxc-container-default-with-mounting + +# Extra cgroup device access +## rtc +lxc.cgroup.devices.allow = c 254:0 rm +## tun +lxc.cgroup.devices.allow = c 10:200 rwm +## hpet +lxc.cgroup.devices.allow = c 10:228 rwm +## kvm +lxc.cgroup.devices.allow = c 10:232 rwm +## To use loop devices, copy the following line to the container's +## configuration file (uncommented). +#lxc.cgroup.devices.allow = b 7:* rwm diff --git a/config/devuan.userns.conf.in b/config/devuan.userns.conf.in new file mode 100644 index 0000000..707bb30 --- /dev/null +++ b/config/devuan.userns.conf.in @@ -0,0 +1,2 @@ +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/fedora.common.conf.in b/config/fedora.common.conf.in index 365e5ff..acebe3c 100644 --- a/config/fedora.common.conf.in +++ b/config/fedora.common.conf.in @@ -18,3 +18,4 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # lxc.cap.drop = audit_control # breaks sshd (set_loginuid failed) # lxc.cap.drop = audit_write # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd +lxc.cap.drop = setfcap sys_nice sys_pacct sys_rawio diff --git a/config/kali.common.conf.in b/config/kali.common.conf.in new file mode 100644 index 0000000..4e6a6e6 --- /dev/null +++ b/config/kali.common.conf.in @@ -0,0 +1,28 @@ +# This derives from the global common config +lxc.include = @LXCTEMPLATECONFIG@/common.conf + +# Doesn't support consoles in /dev/lxc/ +lxc.tty.dir = + +# When using LXC with apparmor, the container will be confined by default. +# If you wish for it to instead run unconfined, copy the following line +# (uncommented) to the container's configuration file. +#lxc.apparmor.profile = unconfined + +# If you wish to allow mounting block filesystems, then use the following +# line instead, and make sure to grant access to the block device and/or loop +# devices below in lxc.cgroup.devices.allow. +#lxc.apparmor.profile = lxc-container-default-with-mounting + +# Extra cgroup device access +## rtc +lxc.cgroup.devices.allow = c 254:0 rm +## tun +lxc.cgroup.devices.allow = c 10:200 rwm +## hpet +lxc.cgroup.devices.allow = c 10:228 rwm +## kvm +lxc.cgroup.devices.allow = c 10:232 rwm +## To use loop devices, copy the following line to the container's +## configuration file (uncommented). +#lxc.cgroup.devices.allow = b 7:* rwm diff --git a/config/kali.userns.conf.in b/config/kali.userns.conf.in new file mode 100644 index 0000000..707bb30 --- /dev/null +++ b/config/kali.userns.conf.in @@ -0,0 +1,2 @@ +# This derives from the global userns config +lxc.include = @LXCTEMPLATECONFIG@/userns.conf diff --git a/config/opensuse.common.conf.in b/config/opensuse.common.conf.in index 536df96..c312395 100644 --- a/config/opensuse.common.conf.in +++ b/config/opensuse.common.conf.in @@ -19,5 +19,6 @@ lxc.include = @LXCTEMPLATECONFIG@/common.conf # lxc.cap.drop = audit_write # lxc.cap.drop = setpcap # big big login delays in Fedora 20 systemd # lxc.cap.drop = setfcap +lxc.cap.drop = sys_nice sys_pacct sys_rawio lxc.tty.dir =