I am using Lua as a script language inside my C application.

It suits me well, but I can't understand how can I limit Lua not to call system functions, include other modules, etc.

I want Lua to be able to call only functions that are allowed by me, because user can do all kind of bad things with full Lua + Lua modules power.

Take a look at the Simple Sandbox on the Lua-users wiki: http://lua-users.org/wiki/SandBoxes

Related SO discussions:

• Is there anyway to avoid this security issue in Lua?
• How can I create a secure Lua sandbox?
• How to execute an untrusted Lua file in its own environment from the C API

Sandbox is the term you're looking for. In a nutshell, only export to Lua the functions you want the users to call. It's that simple, really.

You can accomplish this by not loading the os or package modules. Rather than using luaL_openlibs, see this post.