On 08/19/16 at 06:31pm, Pablo Neira Ayuso wrote: > Why do you need global seccomp policies? The process knows better what > he needs to place in his sandbox, so attaching this from the process > itself makes more sense to me... Anyway, this reminds me to selinux.
Two different objectives. The point is to sandbox applications and restrict their capabilities. It's not the application itself but the task orchestration system around it that manages the policies.
