extend seccomp based on systemd-nspawn

default.conf

@@ -14,7 +14,7 @@ lxc.pivotdir = lxc_putold
 
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp
+lxc.seccomp = /etc/lxc/default.seccomp
 
 lxc.network.type = veth
 lxc.network.link = br0

default.seccomp

@@ -0,0 +1,13 @@
+2
+blacklist
+reject_force_umount  # comment this to allow umount -f;  not recommended
+[all]
+kexec_load errno 1
+open_by_handle_at errno 1
+init_module errno 1
+finit_module errno 1
+delete_module errno 1
+iopl errno 1
+ioperm errno 1
+swapon errno 1
+swapoff errno 1