Seccomp
Seccomp
Seccomp is short for secure computing mode. This feature is available since Linux version 2.6.12 and provides fairly simple sandboxing capabilities. When a process enables seccomp, the number of system calls will be limited to exit(), read(), sigreturn(), and write().
Seccomp-BPF
Seccomp-BPF is an extension to seccomp and available since Linux version 3.5. It allows filtering of system calls using BPF (Berkeley Packet Filter). The filters define which system calls can be used. It can even filter on system call arguments.