cat <<EOF >/etc/vservers/<vserver>/scripts/pre-start
# https://www.kernel.org/doc/Documentation/cgroups/devices.txt
# grep ^CONFIG_CGROUP_DEVICE= /boot/config-$(uname -r)
# infeasible to put entries in /etc/vservers/<vserver>/cgroup/devices.{allow,deny}
# files in /etc/vservers/<vserver>/cgroup are processed alphabetically
# generic deny policy (devices.deny) has to be added before specific allow policies (devices.allow) are accepted

local ALLOW="\${CGROUP_MNT}/\${VSERVER_NAME}/devices.allow"
local DENY="\${CGROUP_MNT}/\${VSERVER_NAME}/devices.deny"

# start with legacy vserver defaults

# deny all privileges to all devices
echo 'a *:* rwm' >"\${DENY}"

# allow reading & writing all already-existing devices
echo 'c *:* rw' >"\${ALLOW}"
echo 'b *:* rw' >"\${ALLOW}"

# now add permissions in addition to legacy vserver defaults

# allow mknoding specific devices
# full
echo 'c 1:7 m' >"\${ALLOW}"
# null
echo 'c 1:3 m' >"\${ALLOW}"
# ptmx
echo 'c 5:2 m' >"\${ALLOW}"
# random
echo 'c 1:8 m' >"\${ALLOW}"
# tty
echo 'c 5:0 m' >"\${ALLOW}"
# urandom
echo 'c 1:9 m' >"\${ALLOW}"
# zero
echo 'c 1:5 m' >"\${ALLOW}"
EOF

# insure non-executable so script is executed within the context of util-vserver
# and has access to its environment variables (ie CGROUP_MNT & VSERVER_NAME)
chmod a-x /etc/vservers/<vserver>/scripts/pre-start