On Fri, Dec 01, 2017 at 01:29:44AM +0000, Colin Watson wrote: > but should be much easier to maintain, and would probably also make it > easier to switch to a syscall-set-confining library if such a thing > exists in the future. Would a version of OpenBSD's pledge() system call have looked appealing to you, if it were implemented as a library interface around seccomp? There's already roughly two dozen categories, though not all may translate well to seccomp's abilities. https://man.openbsd.org/pledge.2 Thanks
Attachment:
signature.asc
Description: PGP signature