Hello everyone,
While experimenting a bit with seccomp filters in LXC, I came up with a few questions about how they actually work in practice.
How are seccomp filters applied in LXC?
For example, I used the following filter:
2
denylist
mknod errno 1
mprotect errno 1
However, when I run the following command:
strace -o lxclog lxc-start -n seccomp
I can still see the mprotect syscall appearing in the logs, yet the container doesn’t start.
This makes me wonder whether the filter is applied during the container startup or only after the process is fully isolated?
Second question:
Are there any tools to create or generate seccomp profiles specifically for LXC?
I’ve found some tools for OCI containers (like Docker or runc), but I haven’t found anything similar for LXC.
Thanks in advance for your insights and suggestions!