How to add syscalls to blacklist?

________

Active Member
Jan 11, 2018
20
2
43
Using the latest provided Arch container template (20171214), when the container is setup as unpriveleged, system-networkd fails to setup networking (keyring error) and hence renders the CT pretty useless.

The below LXC command should be able to fix this issue as per github.com/lxc/lxd/issues/4071#issuecomment-349217570:
lxc profile set default security.syscalls.blacklist "keyctl errno 38"

My noob question:
How can this be recreated using Proxmox' commandline tools (pct etc)?
If it is possible to append it to the CT config file in /etc/pve/lxc/, how should it be entered?
 
we already have this in our default seccomp profile for unprivileged containers (since pve-container 2.0-21, which is only available on pvetest so far).
 
I'm not on pve-test . For the time being where can I update the blacklist without overriding the default seccomp profile?
 
Last edited:
I'm not on pve-test . For the time being where can I update the blacklist without overriding the default seccomp profile?

it's not possible without manually editing generated LXC config files and/or modifying the seccomp profile. barring any showstopper bugs, the pve-container package should move to pve-no-subscription next week.
 
OK cheers. For now I have it working by adding "keyctl errno 38" to the blacklist in /usr/share/lxc/config/common.seccomp.