mrrl-containers

MRRL version of container scripts
git clone https://ccx.te2000.cz/git/mrrl-containers
Log | Files | Refs
commit 407c24d106815e8f7d2563b88f348d171e441b9b
parent aa69a0fc1c82c14b945b9b7348306a4e82bb0bbc
Author: Jan Pobrislo <ccx@te2000.cz>
Date:   Mon,  5 May 2025 22:33:31 +0000

Add seccomp syscall allowlist to all "generic" containers

Diffstat:

Mservice_scripts/generic/run | 1+


1 file changed, 1 insertion(+), 0 deletions(-)

diff --git a/service_scripts/generic/run b/service_scripts/generic/run
@@ -67,6 +67,7 @@ ns_run_unshared data/root {
 
 # This runs with changed / so use absolute paths before dropping privs
 /mnt/ns/bin/applyuidgid-caps -U $CONTAINER_CAPS
+/mnt/ns/bin/seccomp-run /mnt/ns/bin/seccomp-default.bpf
 /mnt/ns/bin/busybox env HOME=${CONTAINER_USER_HOME} USER=${CONTAINER_USER}
 /mnt/ns/bin/foreground {
 	/mnt/ns/bin/busybox cat /proc/1/status