openwrt: add common configuration file

This adds OpenWrt common config file. Signed-off-by: Petar Koretic <petar.koretic@sartura.hr> CC: Luka Perkov <luka.perkov@sartura.hr> Acked-by: Stéphane Graber <stgraber@ubuntu.com>
2025-08-04 04:41:14 +00:00 · 2014-10-30 12:41:49 +00:00 · 2014-10-30 12:41:49 +00:00 · c33bdec826
commit c33bdec826
parent 6b41056280
3 changed files with 58 additions and 0 deletions
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@ -28,4 +28,5 @@ templatesconfig_DATA = \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
 	ubuntu.userns.conf \
+	openwrt.common.conf \
 	userns.conf
--- a/config/templates/openwrt.common.conf.in
+++ b/config/templates/openwrt.common.conf.in
@ -0,0 +1,56 @@
+# Default mount entries
+lxc.mount.entry = proc proc proc nodev,noexec,nosuid 0 0
+lxc.mount.entry = sysfs sys sysfs defaults 0 0
+
+# Default console settings
+lxc.devttydir = lxc
+lxc.tty = 4
+lxc.pts = 1024
+
+# Default capabilities
+lxc.cap.drop = mac_admin
+lxc.cap.drop = mac_override
+lxc.cap.drop = sys_admin
+lxc.cap.drop = sys_module
+lxc.cap.drop = sys_nice
+lxc.cap.drop = sys_pacct
+lxc.cap.drop = sys_ptrace
+lxc.cap.drop = sys_rawio
+lxc.cap.drop = sys_resource
+lxc.cap.drop = sys_time
+lxc.cap.drop = sys_tty_config
+lxc.cap.drop = syslog
+lxc.cap.drop = wake_alarm
+
+# Default cgroups - all denied except those whitelisted
+lxc.cgroup.devices.deny = a
+## /dev/null and zero
+lxc.cgroup.devices.allow = c 1:3 rwm
+lxc.cgroup.devices.allow = c 1:5 rwm
+## consoles
+lxc.cgroup.devices.allow = c 5:0 rwm
+lxc.cgroup.devices.allow = c 5:1 rwm
+## /dev/{,u}random
+lxc.cgroup.devices.allow = c 1:8 rwm
+lxc.cgroup.devices.allow = c 1:9 rwm
+## /dev/pts/*
+lxc.cgroup.devices.allow = c 5:2 rwm
+lxc.cgroup.devices.allow = c 136:* rwm
+## rtc
+lxc.cgroup.devices.allow = c 254:0 rm
+## fuse
+lxc.cgroup.devices.allow = c 10:229 rwm
+## tun
+lxc.cgroup.devices.allow = c 10:200 rwm
+## dev/tty0
+lxc.cgroup.devices.allow = c 4:0 rwm
+## dev/tty1
+lxc.cgroup.devices.allow = c 4:1 rwm
+
+## To use loop devices, copy the following line to the container's
+## configuration file (uncommented).
+#lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = /usr/share/lxc/config/common.seccomp
--- a/configure.ac
+++ b/configure.ac
@ -646,6 +646,7 @@ AC_CONFIG_FILES([
 	config/templates/ubuntu.common.conf
 	config/templates/ubuntu.lucid.conf
 	config/templates/ubuntu.userns.conf
+	config/templates/openwrt.common.conf
 	config/templates/userns.conf
 	config/yum/Makefile
 	config/sysconfig/Makefile