Yesterday I added seccomp filtering support to systemd. I tried to expose this in the simplest possible way, and created the new SystemCallFilter= setting for it:

[Service]
ExecStart=/bin/echo "I am in a sandbox"
SystemCallFilter=brk mmap access open fstat close read fstat mprotect arch_prctl munmap write

It's actually really cool, and dead simple to use. A Cheers! for security! (Requires kernel 3.5)
Shared publiclyView activity