On Thursday, April 17, 2014 10:07:15 PM Ralf Baechle wrote: > On Thu, Apr 17, 2014 at 12:38:36PM -0700, Andy Lutomirski wrote: > > > For that reason I've long been contemplating to make syscalls of other > > > ABIs unavailable, even without seccomp. Would that be useful for > > > seccomp? > > > > It's still possible to execve something else. > > Would that other process then have a different syscall filter or is there > only one global one? Once a seccomp filter is loaded it is inherited by all child processes. -- paul moore security and virtualization @ redhat
