SECCOMP docs

author Tomas Mudrunka <tomas@mudrunka.cz>

Mon, 10 Feb 2014 21:59:08 +0000 (22:59 +0100)

committer Tomas Mudrunka <tomas@mudrunka.cz>

Mon, 10 Feb 2014 21:59:08 +0000 (22:59 +0100)
author Tomas Mudrunka <tomas@mudrunka.cz>
Mon, 10 Feb 2014 21:59:08 +0000 (22:59 +0100)
committer Tomas Mudrunka <tomas@mudrunka.cz>
Mon, 10 Feb 2014 21:59:08 +0000 (22:59 +0100)
diff --git a/c/seccomp.c b/c/seccomp.c

index 0b740f32f7225f91d7d8511364fe17d6cd9060f5..527daea30c9dac9c946b5810e96b8c8bae232b43 100644 (file)
--- a/c/seccomp.c
+++ b/c/seccomp.c
@@ -1,6 +1,13 @@
-/* seccomp.c
+/*
+ * seccomp.c (Harvie 2o14)
   *
   * This demonstrates how to use SECCOMP_MODE_STRICT to sandbox code on Linux.
+ * You need kernel compiled with CONFIG_SECCOMP=y.
+ * This prohibits everything except read(2), write(2), _exit(2), and sigreturn(2).
+ * Trying to use other syscalls will result in SIGKILL.
+ * If you need to enable more syscalls you can use SECCOMP_MODE_FILTER instead.
+ * See man 2 prctl for more...
+ *
   */
  
  #include <string.h>
author	Tomas Mudrunka <tomas@mudrunka.cz>
	Mon, 10 Feb 2014 21:59:08 +0000 (22:59 +0100)
committer	Tomas Mudrunka <tomas@mudrunka.cz>
	Mon, 10 Feb 2014 21:59:08 +0000 (22:59 +0100)