I’m still playing a bit with LXC trying to blacklist some syscalls using seccomp. I’m using LXC built from source and after following some hints on the internet, I’m not able to block, for example, “mkmod” syscall.
Inside /usr/share/lxc/config/common.conf I’m pointing a file where the seccomp rules are defined (lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp).
This is my common.seccomp file:
2 blacklist reject_force_umount # comment this to allow umount -f; not recommended [all] mknod errno 1 kexec_load errno 1 open_by_handle_at errno 1 init_module errno 1 finit_module errno 1 delete_module errno 1
It seems that LXC is not reading the configuration file. Should I compile/run LXC with specific flags?
Thanks a lot for your help!