extend seccomp based on systemd-nspawn

This commit is contained in:
Jörg Thalheim 2015-03-31 06:46:30 +00:00
parent 17426c3eeb
commit 272efefdc0
2 changed files with 14 additions and 1 deletions

View File

@ -14,7 +14,7 @@ lxc.pivotdir = lxc_putold
# Blacklist some syscalls which are not safe in privileged
# containers
lxc.seccomp = /usr/share/lxc/config/common.seccomp
lxc.seccomp = /etc/lxc/default.seccomp
lxc.network.type = veth
lxc.network.link = br0

13
default.seccomp Normal file
View File

@ -0,0 +1,13 @@
2
blacklist
reject_force_umount # comment this to allow umount -f; not recommended
[all]
kexec_load errno 1
open_by_handle_at errno 1
init_module errno 1
finit_module errno 1
delete_module errno 1
iopl errno 1
ioperm errno 1
swapon errno 1
swapoff errno 1