Sandboxing in Linux with zero lines of code (Cloudflare blog)

The Cloudflare blog is running anoverview of sandboxing with seccomp(), culminating in a toolwritten there to sandbox any existing program. "We really liked the'zero code seccomp' approach with systemd SystemCallFilter= directive, butwere not satisfied with its limitations. We decided to take it one stepfurther and make it possible to prohibit any system call in any processexternally without touching its source code, so came up with the Cloudflaresandbox. It's a simple standalone toolkit consisting of a shared libraryand an executable. The shared library is supposed to be used withdynamically linked applications and the executable is for statically linkedapplications."