Seccomp configuration not loaded by LXC

I’m still playing a bit with LXC trying to blacklist some syscalls using seccomp. I’m using LXC built from source and after following some hints on the internet, I’m not able to block, for example, “mkmod” syscall.

Inside /usr/share/lxc/config/common.conf I’m pointing a file where the seccomp rules are defined (lxc.seccomp.profile = /usr/share/lxc/config/common.seccomp).

This is my common.seccomp file:

reject_force_umount  # comment this to allow umount -f;  not recommended
mknod errno 1
kexec_load errno 1
open_by_handle_at errno 1
init_module errno 1
finit_module errno 1
delete_module errno 1

It seems that LXC is not reading the configuration file. Should I compile/run LXC with specific flags?

Thanks a lot for your help!


If it’s a manually built LXC, you’ll want to make sure you passed --enable-seccomp.

A trace level log of lxc-start would also show you what’s going on.

Where should I use it?

I cannot see trace level logs regarding seccomp actually.

EDIT: ./configure --enable-seccomp

Thanks a lot for your help!!