v2 allows specifying system calls by name, and specifying
architecture. A policy looks like:
2
whitelist
open
read
write
close
mount
[x86]
open
read
Also use SCMP_ACT_KILL by default rather than SCMP_ACT_ERRNO(31) -
which confusingly returns 'EMLINK' on x86_64. Note this change
is also done for v1 as I think it is worthwhile.
With this patch, I can in fact use a seccomp policy like:
2
blacklist
mknod errno 0
after which 'sudo mknod null c 1 3' silently succeeds without
creating the null device.
changelog v2:
add blacklist support
support default action
support per-rule action