Sandboxing in Linux with zero lines of code

Linux seccomp is a powerful security feature that allows applications to restrict their system call usage, thereby limiting potential attack vectors. By using seccomp, developers can create sandboxes for their applications without writing any additional code. This post explores the use of seccomp in practice and provides examples of how it can be used to protect against arbitrary code execution exploits. The Cloudflare sandbox toolkit is also introduced as a convenient way to enforce seccomp policies on both dynamically linked and statically linked applications.