[lxc-users] Failure to start a container with 'lxc.seccomp' option set
Serge Hallyn
serge.hallyn at ubuntu.com
Mon Apr 28 17:50:45 UTC 2014
Quoting Nels Nelson (nels.n.nelson at gmail.com):
> Greetings, Serge,-
>
> Here is the additional information that you requested:
>
> https://gist.github.com/nelsnelson/11298117
>
> Thanks for looking into this for me.
Ok, thanks. That looks exactly as I'd expect:
lxc-start 1398611507.445 DEBUG lxc_start - Container violated its seccomp policy
I'm not sure what your sandboxing goal is, but take a look at /usr/share/lxc/seccomp.full
created by /usr/share/lxc/seccomp.script (if you're on ubuntu) for a whitelist policy
that should generally work. A blacklist policy generally will be easier to deal with,
which would lookk like:
2
blacklist
mknod
(to disallow the mknod syscall only)
More information about the lxc-users
mailing list