Confirm
502
edits
Changes
→Intro to seccomp and seccomp-bpf
Seccomp-bpf is a more recent extension to seccomp, which adds the support for [http://en.wikipedia.org/wiki/Berkeley_Packet_Filter BPF (Berkely Packet Filter)] filters.
These filter allow for a more configurable list of system calls that are allowed or denied within the sandbox. Seccomp-bpf is available since Linux version 3.5 and is useable on ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions.
We have backports for 3.0.x kernels, 3.4 kernels, and 2.6.29 kernels (see bug 790923 and it's children). No backport is necessary for kernels 3.10 and above.
''CONFIG_SECCOMP=y'' and ''CONFIG_SECCOMP_FILTER=y'' are needed in the kernel's config at compile time.
=== How do I call seccomp-bpf ? ===
