extend seccomp based on systemd-nspawn

2015-03-31 06:46:30 +00:00 · 2015-03-31 06:46:30 +00:00 · 272efefdc0
parent 17426c3eeb
commit 272efefdc0
2 changed files with 14 additions and 1 deletions
--- a/default.conf
+++ b/default.conf
@ -14,7 +14,7 @@ lxc.pivotdir = lxc_putold

 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp
+lxc.seccomp = /etc/lxc/default.seccomp

 lxc.network.type = veth
 lxc.network.link = br0
--- a/default.seccomp
+++ b/default.seccomp
@ -0,0 +1,13 @@
+2
+blacklist
+reject_force_umount  # comment this to allow umount -f;  not recommended
+[all]
+kexec_load errno 1
+open_by_handle_at errno 1
+init_module errno 1
+finit_module errno 1
+delete_module errno 1
+iopl errno 1
+ioperm errno 1
+swapon errno 1
+swapoff errno 1