🔧 How to Block Dangerous Syscalls Per-Container

Use cella's active syscall blocking mode to prevent containers from calling dangerous system calls like ptrace, mount, or kexec_load.

1. Select the Container

Navigate to the target container in the main list. This only works for LXD containers (not Docker).

2. Enable Blocking

Press Z to toggle LXD BPF syscall deny for the selected container.

cella sets security.syscalls.deny via the LXD API, which uses the kernel's BPF mechanism to block the following syscalls with EPERM:

• ptrace — process debugging/injection
• mount / umount2 — filesystem manipulation
• bpf — BPF program loading
• kexec_load / kexec_file_load — kernel replacement
• reboot — host reboot from container
• init_module / finit_module — kernel module loading

3. Operator Approval

When bpftrace detects an attempt to call a blocked syscall, an approval overlay appears:

• Y — Always allow for this container
• y — Allow once
• n — Deny (keep blocking)

4. Disable

Press Z again on the same container to remove the deny list.

5. Check Status

Open the Policy panel (P) to see the current syscall blocking status for all containers — a ⛔ icon indicates active blocking.