Seccomp tangle

Eric S. Raymond esr at
Wed May 27 00:38:55 UTC 2020

Hal Murray via devel <devel at>:
> I've been experimenting with some code to allow custom scccomp lists.
> The idea is to replace the --enable-seccomp configure option with
>   --enable-seccomp=foo
> and ntp_sandbox would include syscomp/foo.c which would be a list of syscalls 
> used by this system.
> I assume we would maintain a list for each OS/distro/version/hardware 
> combination that we are interested in.  I have a few scripts that turn strace 
> output into a list.  ...
> Is this interesting?  If not, I'll drop it.
> If yes, I'll need some help to work out the details.

Aaarrgghhh.  It;s a huge pain in the ass and I wish it weren't interesting.
But given our mission statememnnt, it has to be.
		<a href="">Eric S. Raymond</a>

More information about the devel mailing list