diff --git a/config/templates/Makefile.am b/config/templates/Makefile.am
index d0b1c8763..dec62d98e 100644
--- a/config/templates/Makefile.am
+++ b/config/templates/Makefile.am
@@ -21,4 +21,5 @@ templatesconfig_DATA = \
 	ubuntu-cloud.userns.conf \
 	ubuntu.common.conf \
 	ubuntu.lucid.conf \
-	ubuntu.userns.conf
+	ubuntu.userns.conf \
+	ubuntu.priv.seccomp
diff --git a/config/templates/ubuntu.common.conf.in b/config/templates/ubuntu.common.conf.in
index 1ec323fe4..a61ed79c9 100644
--- a/config/templates/ubuntu.common.conf.in
+++ b/config/templates/ubuntu.common.conf.in
@@ -68,3 +68,7 @@ lxc.cgroup.devices.allow = c 10:232 rwm
 ## To use loop devices, copy the following line to the container's
 ## configuration file (uncommented).
 #lxc.cgroup.devices.allow = b 7:* rwm
+
+# Blacklist some syscalls which are not safe in privileged
+# containers
+lxc.seccomp = @LXCTEMPLATECONFIG@/ubuntu.priv.seccomp
diff --git a/config/templates/ubuntu.priv.seccomp b/config/templates/ubuntu.priv.seccomp
new file mode 100644
index 000000000..e6650ef1c
--- /dev/null
+++ b/config/templates/ubuntu.priv.seccomp
@@ -0,0 +1,8 @@
+2
+blacklist
+[all]
+kexec_load errno 1
+open_by_handle_at errno 1
+init_module errno 1
+finit_module errno 1
+delete_module errno 1
diff --git a/config/templates/ubuntu.userns.conf.in b/config/templates/ubuntu.userns.conf.in
index 5643744df..c744b1d66 100644
--- a/config/templates/ubuntu.userns.conf.in
+++ b/config/templates/ubuntu.userns.conf.in
@@ -17,3 +17,7 @@ lxc.mount.entry = /dev/zero dev/zero none bind,create=file 0 0
 # Extra fstab entries as mountall can't mount those by itself
 lxc.mount.entry = /sys/firmware/efi/efivars sys/firmware/efi/efivars none bind,optional 0 0
 lxc.mount.entry = /proc/sys/fs/binfmt_misc proc/sys/fs/binfmt_misc none bind,optional 0 0
+
+# Default seccomp policy is not needed for unprivileged containers, and
+# non-root users cannot use seccmp without NNP anyway.
+lxc.seccomp =