extend seccomp based on systemd-nspawn

master
Jörg Thalheim 8 years ago
parent 17426c3eeb
commit 272efefdc0
  1. 2
      default.conf
  2. 13
      default.seccomp

@ -14,7 +14,7 @@ lxc.pivotdir = lxc_putold
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.seccomp = /etc/lxc/default.seccomp
lxc.network.type = veth
lxc.network.link = br0

@ -0,0 +1,13 @@
2
blacklist
reject_force_umount # comment this to allow umount -f; not recommended
[all]
kexec_load errno 1
open_by_handle_at errno 1
init_module errno 1
finit_module errno 1
delete_module errno 1
iopl errno 1
ioperm errno 1
swapon errno 1
swapoff errno 1
Loading…
Cancel
Save