How to add syscalls to blacklist?

[________]

Using the latest provided Arch container template (20171214), when the container is setup as unpriveleged, system-networkd fails to setup networking (keyring error) and hence renders the CT pretty useless.

The below LXC command should be able to fix this issue as per github.com/lxc/lxd/issues/4071#issuecomment-349217570:
lxc profile set default security.syscalls.blacklist "keyctl errno 38"

My noob question:
How can this be recreated using Proxmox' commandline tools (pct etc)?
If it is possible to append it to the CT config file in /etc/pve/lxc/, how should it be entered?

 

[fabian]

we already have this in our default seccomp profile for unprivileged containers (since pve-container 2.0-21, which is only available on pvetest so far).

 

[________]

I'm not on pve-test . For the time being where can I update the blacklist without overriding the default seccomp profile?

 

[fabian]

I'm not on pve-test . For the time being where can I update the blacklist without overriding the default seccomp profile?

it's not possible without manually editing generated LXC config files and/or modifying the seccomp profile. barring any showstopper bugs, the pve-container package should move to pve-no-subscription next week.

 

[________]

OK cheers. For now I have it working by adding "keyctl errno 38" to the blacklist in /usr/share/lxc/config/common.seccomp.