Add general-purpose seccomp syscall filter
cd-work opened this issue · comments
A general seccomp filter should be used with the Linux sandbox to block system calls which are generally not considered "safe" to be used by sandbox clients.
A good summary on some syscalls which fit this description can be found in docker's docs:
https://docs.docker.com/engine/security/seccomp/