2 whitelist trap # 'whitelist' would normally mean kill a task doing any syscall which is not # whitelisted below. By appending 'trap' to the line, we will cause a SIGSYS # to be sent to the task instead. 'errno 0' would mean don't allow the system # call but immediately return 0. 'errno 22' would mean return EINVAL immediately. [x86_64] open close read write mount umount2 # Since we are listing system calls by name, we can also ask to have them resolved # for another arch, i.e. for 32/64-bit versions. [x86] open close read write mount umount2 # Do note that this policy does not whitelist enough system calls to allow a # system container to boot.
Name | Type | Size | Permission | Actions |
---|---|---|---|---|
lxc-complex.conf | File | 712 B | 0644 |
|
lxc-empty-netns.conf | File | 118 B | 0644 |
|
lxc-macvlan.conf | File | 289 B | 0644 |
|
lxc-no-netns.conf | File | 84 B | 0644 |
|
lxc-phys.conf | File | 305 B | 0644 |
|
lxc-veth.conf | File | 332 B | 0644 |
|
lxc-vlan.conf | File | 308 B | 0644 |
|
seccomp-v1.conf | File | 1.35 KB | 0644 |
|
seccomp-v2-blacklist.conf | File | 334 B | 0644 |
|
seccomp-v2.conf | File | 659 B | 0644 |
|