Seccomp configuration not loaded by LXC

GinesGarcia · June 25, 2019, 10:13am

Hi!
I’m still playing a bit with LXC trying to blacklist some syscalls using seccomp. I’m using LXC built from source and after following some hints on the internet, I’m not able to block, for example, “mkmod” syscall.

Inside /usr/share/lxc/config/common.conf I’m pointing a file where the seccomp rules are defined (lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp).

This is my common.seccomp file:

2
blacklist
reject_force_umount  # comment this to allow umount -f;  not recommended
[all]
mknod errno 1
kexec_load errno 1
open_by_handle_at errno 1
init_module errno 1
finit_module errno 1
delete_module errno 1

It seems that LXC is not reading the configuration file. Should I compile/run LXC with specific flags?

Thanks a lot for your help!

Regards,
Ginés.

stgraber · June 25, 2019, 2:33pm

If it’s a manually built LXC, you’ll want to make sure you passed --enable-seccomp.

A trace level log of lxc-start would also show you what’s going on.

GinesGarcia · June 25, 2019, 2:47pm

Where should I use it?

I cannot see trace level logs regarding seccomp actually.

EDIT: ./configure --enable-seccomp

Thanks a lot for your help!!