Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- cat <<EOF >/etc/vservers/<vserver>/scripts/pre-start
- # https://www.kernel.org/doc/Documentation/cgroups/devices.txt
- # grep ^CONFIG_CGROUP_DEVICE= /boot/config-$(uname -r)
- # infeasible to put entries in /etc/vservers/<vserver>/cgroup/devices.{allow,deny}
- # files in /etc/vservers/<vserver>/cgroup are processed alphabetically
- # generic deny policy (devices.deny) has to be added before specific allow policies (devices.allow) are accepted
- local ALLOW="\${CGROUP_MNT}/\${VSERVER_NAME}/devices.allow"
- local DENY="\${CGROUP_MNT}/\${VSERVER_NAME}/devices.deny"
- # start with legacy vserver defaults
- # deny all privileges to all devices
- echo 'a *:* rwm' >"\${DENY}"
- # allow reading & writing all already-existing devices
- echo 'c *:* rw' >"\${ALLOW}"
- echo 'b *:* rw' >"\${ALLOW}"
- # now add permissions in addition to legacy vserver defaults
- # allow mknoding specific devices
- # full
- echo 'c 1:7 m' >"\${ALLOW}"
- # null
- echo 'c 1:3 m' >"\${ALLOW}"
- # ptmx
- echo 'c 5:2 m' >"\${ALLOW}"
- # random
- echo 'c 1:8 m' >"\${ALLOW}"
- # tty
- echo 'c 5:0 m' >"\${ALLOW}"
- # urandom
- echo 'c 1:9 m' >"\${ALLOW}"
- # zero
- echo 'c 1:5 m' >"\${ALLOW}"
- EOF
- # insure non-executable so script is executed within the context of util-vserver
- # and has access to its environment variables (ie CGROUP_MNT & VSERVER_NAME)
- chmod a-x /etc/vservers/<vserver>/scripts/pre-start
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement