cgroup device controller script for linux-vserver

1. cat <<EOF >/etc/vservers/<vserver>/scripts/pre-start
2. # https://www.kernel.org/doc/Documentation/cgroups/devices.txt
3. # grep ^CONFIG_CGROUP_DEVICE= /boot/config-$(uname -r)
4. # infeasible to put entries in /etc/vservers/<vserver>/cgroup/devices.{allow,deny}
5. # files in /etc/vservers/<vserver>/cgroup are processed alphabetically
6. # generic deny policy (devices.deny) has to be added before specific allow policies (devices.allow) are accepted
7.  
8. local ALLOW="\${CGROUP_MNT}/\${VSERVER_NAME}/devices.allow"
9. local DENY="\${CGROUP_MNT}/\${VSERVER_NAME}/devices.deny"
10.  
11. # start with legacy vserver defaults
12.  
13. # deny all privileges to all devices
14. echo 'a *:* rwm' >"\${DENY}"
15.  
16. # allow reading & writing all already-existing devices
17. echo 'c *:* rw' >"\${ALLOW}"
18. echo 'b *:* rw' >"\${ALLOW}"
19.  
20. # now add permissions in addition to legacy vserver defaults
21.  
22. # allow mknoding specific devices
23. # full
24. echo 'c 1:7 m' >"\${ALLOW}"
25. # null
26. echo 'c 1:3 m' >"\${ALLOW}"
27. # ptmx
28. echo 'c 5:2 m' >"\${ALLOW}"
29. # random
30. echo 'c 1:8 m' >"\${ALLOW}"
31. # tty
32. echo 'c 5:0 m' >"\${ALLOW}"
33. # urandom
34. echo 'c 1:9 m' >"\${ALLOW}"
35. # zero
36. echo 'c 1:5 m' >"\${ALLOW}"
37. EOF
38.  
39. # insure non-executable so script is executed within the context of util-vserver
40. # and has access to its environment variables (ie CGROUP_MNT & VSERVER_NAME)
41. chmod a-x /etc/vservers/<vserver>/scripts/pre-start