config/templates/gentoo.moresecure.conf.in

	gentoo.moresecure.conf.in revision 1609f0fbe1407e083f612a25475de2cb6b9954f7
1609f0fbe1407e083f612a25475de2cb6b9954f7gza# Gentoo security oriented default configuration
cae3584efccc63f544c8748bd13d80e11bc79aefgza# This is a more security oriented container configuration
1609f0fbe1407e083f612a25475de2cb6b9954f7gza# "More" because this is far from fully secure
cae3584efccc63f544c8748bd13d80e11bc79aefgza# Looking for more working features and you trust your
cae3584efccc63f544c8748bd13d80e11bc79aefgza# Container user ? see gentoo.common.conf
cae3584efccc63f544c8748bd13d80e11bc79aefgza
cae3584efccc63f544c8748bd13d80e11bc79aefgza# do not mount sysfs, see http://blog.bofh.it/debian/id_413
cae3584efccc63f544c8748bd13d80e11bc79aefgza# lxc.mount.entry=sys sys sysfs rw 0 0
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.mount.entry=proc proc proc ro,nodev,noexec,nosuid 0 0
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.mount.entry=mqueue dev/mqueue mqueue rw,nodev,noexec,nosuid 0 0
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.mount.entry=shm dev/shm tmpfs rw,nosuid,nodev,noexec,relatime 0 0
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.mount.entry=run run tmpfs rw,nosuid,nodev,relatime,mode=755 0 0
cae3584efccc63f544c8748bd13d80e11bc79aefgza
cae3584efccc63f544c8748bd13d80e11bc79aefgza# console access
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.pts = 1024
cae3584efccc63f544c8748bd13d80e11bc79aefgza
cae3584efccc63f544c8748bd13d80e11bc79aefgza# this part is based on 'linux capabilities', see: man 7 capabilities
cae3584efccc63f544c8748bd13d80e11bc79aefgza#  eg: you may also wish to drop 'cap_net_raw' (though it breaks ping)
cae3584efccc63f544c8748bd13d80e11bc79aefgza#
cae3584efccc63f544c8748bd13d80e11bc79aefgza# WARNING: the security vulnerability reported for 'cap_net_admin' at
cae3584efccc63f544c8748bd13d80e11bc79aefgza# http://mainisusuallyafunction.blogspot.com/2012/11/attacking-hardened-linux-systems-with.html
cae3584efccc63f544c8748bd13d80e11bc79aefgza# via JIT spraying (the BPF JIT module disabled on most systems was used
cae3584efccc63f544c8748bd13d80e11bc79aefgza# in the example, but others are suggested vulnerable) meant that users
cae3584efccc63f544c8748bd13d80e11bc79aefgza# with root in a container, that capability and kernel module may escape
cae3584efccc63f544c8748bd13d80e11bc79aefgza# the container. ALWAYS be extremely careful granting any process root
cae3584efccc63f544c8748bd13d80e11bc79aefgza# within a container, use a minimal configuration at all levels -
cae3584efccc63f544c8748bd13d80e11bc79aefgza# including the kernel - and multiple layers of security on any system
cae3584efccc63f544c8748bd13d80e11bc79aefgza# where security is a priority.  note that not only LXC but PAX (and
cae3584efccc63f544c8748bd13d80e11bc79aefgza# others?) were vulnerable to this issue.
cae3584efccc63f544c8748bd13d80e11bc79aefgza#
cae3584efccc63f544c8748bd13d80e11bc79aefgza# conservative: lxc.cap.drop = sys_module mknod mac_override sys_boot
cae3584efccc63f544c8748bd13d80e11bc79aefgza# aggressive follows. (leaves open: chown dac_override fowner ipc_lock kill lease net_admin net_bind_service net_broadcast net_raw setgid setuid sys_chroot)
cae3584efccc63f544c8748bd13d80e11bc79aefgza
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cap.drop = audit_control audit_write dac_read_search fsetid ipc_owner linux_immutable mac_admin mac_override mknod setfcap sys_admin sys_boot sys_module sys_pacct sys_ptrace sys_rawio sys_resource sys_time sys_tty_config syslog
cae3584efccc63f544c8748bd13d80e11bc79aefgza
cae3584efccc63f544c8748bd13d80e11bc79aefgza# deny access to all devices by default, explicitly grant some permissions
cae3584efccc63f544c8748bd13d80e11bc79aefgza#
cae3584efccc63f544c8748bd13d80e11bc79aefgza# format is [c|b] [major|*]:[minor|*] [r][w][m]
cae3584efccc63f544c8748bd13d80e11bc79aefgza#            ^     ^                   ^
cae3584efccc63f544c8748bd13d80e11bc79aefgza# char/block -'     \`- device number    \`-- read, write, mknod
cae3584efccc63f544c8748bd13d80e11bc79aefgza#
cae3584efccc63f544c8748bd13d80e11bc79aefgza# first deny all...
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.deny = a
cae3584efccc63f544c8748bd13d80e11bc79aefgza# /dev/null and zero
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 1:3 rw
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 1:5 rw
cae3584efccc63f544c8748bd13d80e11bc79aefgza# /dev/{,u}random
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 1:9 rw
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 1:8 r
cae3584efccc63f544c8748bd13d80e11bc79aefgza# /dev/pts/*
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 136:* rw
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 5:2 rw
cae3584efccc63f544c8748bd13d80e11bc79aefgza# /dev/tty{0,1}
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 4:1 rwm
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 4:0 rwm
cae3584efccc63f544c8748bd13d80e11bc79aefgza# /dev/tty
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 5:0 rwm
cae3584efccc63f544c8748bd13d80e11bc79aefgza# /dev/console
cae3584efccc63f544c8748bd13d80e11bc79aefgzalxc.cgroup.devices.allow = c 5:1 rwm