# Taken from the oracle.common.conf.in
# Console settings

lxc.devttydir = lxc
lxc.tty = 4
lxc.pts = 1024

# Mount entries
lxc.mount.auto = proc:mixed sys:ro

# Ensure hostname is changed on clone
lxc.hook.clone = /usr/share/lxc/hooks/clonehostname

# Capabilities
# Uncomment these if you don't run anything that needs the capability, and
# would like the container to run with less privilege.
#
# Dropping sys_admin disables container root from doing a lot of things
# that could be bad like re-mounting lxc fstab entries rw for example,
# but also disables some useful things like being able to nfs mount, and
# things that are already namespaced with ns_capable() kernel checks, like
# hostname(1).
# lxc.cap.drop = sys_admin
# lxc.cap.drop = net_raw          # breaks dhcp/ping
# lxc.cap.drop = setgid           # breaks login (initgroups/setgroups)
# lxc.cap.drop = dac_read_search  # breaks login (pam unix_chkpwd)
# lxc.cap.drop = setuid           # breaks sshd,nfs statd
# lxc.cap.drop = audit_control    # breaks sshd (set_loginuid failed)
# lxc.cap.drop = audit_write
#
lxc.cap.drop = mac_admin mac_override
lxc.cap.drop = sys_module sys_nice sys_pacct
lxc.cap.drop = sys_rawio sys_time

# Control Group devices: all denied except those whitelisted
lxc.cgroup.devices.deny = a
# Allow any mknod (but not reading/writing the node)
lxc.cgroup.devices.allow = c *:* m
lxc.cgroup.devices.allow = b *:* m
lxc.cgroup.devices.allow = c 1:3 rwm	# /dev/null
lxc.cgroup.devices.allow = c 1:5 rwm	# /dev/zero
lxc.cgroup.devices.allow = c 1:7 rwm	# /dev/full
lxc.cgroup.devices.allow = c 5:0 rwm	# /dev/tty
lxc.cgroup.devices.allow = c 1:8 rwm	# /dev/random
lxc.cgroup.devices.allow = c 1:9 rwm	# /dev/urandom
lxc.cgroup.devices.allow = c 136:* rwm	# /dev/tty[1-4] ptys and lxc console
lxc.cgroup.devices.allow = c 5:2 rwm	# /dev/ptmx pty master

# Needed by default docker config
lxc.cgroup.devices.allow = c 5:1 rwm # /dev/console
lxc.cgroup.devices.allow = c 4:0 rwm # /dev/tty0
lxc.cgroup.devices.allow = c 4:1 rwm # /dev/tty1
lxc.cgroup.devices.allow = c 10:200 rwm # /dev/net/tun

# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp