seccomp: add rule to reject umount -f If a container has a bind mount from a host nfs or fuse filesystem, and does 'umount -f', it will disconnect the host's filesystem. This patch adds a seccomp rule to block umount -f from a container. It also adds that rule to the default seccomp profile. Thanks stgraber for the idea :) Signed-off-by: Serge Hallyn <serge.hallyn@ubuntu.com> Acked-by: Stéphane Graber <stgraber@ubuntu.com>

Enable default seccomp profile for all distros This updates the common config to include Serge's seccomp profile by default for privileged containers. Signed-off-by: Stéphane Graber <stgraber@ubuntu.com> Acked-by: Serge E. Hallyn <serge.hallyn@ubuntu.com>