extend seccomp based on systemd-nspawn

2015-03-31 06:46:30 +00:00 · 2015-03-31 06:46:30 +00:00 · 272efefdc0
commit 272efefdc0
parent 17426c3eeb
2 changed files with 14 additions and 1 deletions
--- a/default.conf
+++ b/default.conf
@ -14,7 +14,7 @@ lxc.pivotdir = lxc_putold
 # Blacklist some syscalls which are not safe in privileged
 # containers
-lxc.seccomp = /usr/share/lxc/config/common.seccomp
+lxc.seccomp = /etc/lxc/default.seccomp
 lxc.network.type = veth
 lxc.network.link = br0
--- a/default.seccomp
+++ b/default.seccomp
@ -0,0 +1,13 @@
 2
 blacklist
 reject_force_umount  # comment this to allow umount -f;  not recommended
 [all]
 kexec_load errno 1
 open_by_handle_at errno 1
 init_module errno 1
 finit_module errno 1
 delete_module errno 1
 iopl errno 1
 ioperm errno 1
 swapon errno 1
 swapoff errno 1