Seccomp itself works because it has the extremely huge advantage of being extremely strict and limited. It can do what it is supposed to do so well (almost full containment) because the problem set is so small. Jail something utterly and only let it talk to the world outside over a very draconian path, without any capabilities of directly modifying system state (other than consume some very defined system resources).
It is meant to let one implement privsep and tasksep done right on multi-process applications.
The moment you try to make it into a generic syscall firewall, you are likely to start hitting corner cases where you need to keep state (just like a stateful firewall :p) or worse, track complex syscall sequences...
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds