On Tuesday, August 19, 2014 08:45:01 PM Andrew Griffiths wrote:
>   - applying seccomp rules to all running threads may be possible via
>     https://lkml.org/lkml/2014/7/10/538 .. but I would strongly
>     recommend that all privilege dropping / process restriction is performed
>     before creating threads, as it's the only portable to way to ensure that
>     there aren't threads running with higher privileges, or running
>     unrestricted.

Just an FYI, as the seccomp filter thread sync functionality is still quite 
new, support does not yet exist in libseccomp.  Support is planned, I just 
haven't added it yet.

-- 
paul moore
security and virtualization @ redhat