Prevent LXC containers from using dmesg Print

  • 2


Step 1: Create the directory to put the configuration file in to prevent 'dmesg' from working:

mkdir /etc/pve/lxcseccomp

Step 2: Edit the file to contain the correct values:

nano -w /etc/pve/lxc/seccomp/disabledmesg

Step 3: Add the following content in the file:

syslog errno 1

Step 4: Save the file and exit the editor (ctrl+x -> Y -> Enter)

Step 5: Edit the container you like to prevent the 'dmesg' command from working: nano -w /etc/pve/lxc/<CTID>.conf

Step 6: Add the following lines to it:

lxc.cap.drop: sys_rawio
lxc.seccomp: /etc/pve/lxc/seccomp/disabledmesg

Step 7: Restart the container via the Web Gui or manually

That's it! When you execute 'dmesg' in the container, you should see this:

klogctl: Operation not permitted

Was this answer helpful?

« Back