> Two other frequently cited options are to use seccomp and network namespaces for this task. Seccomp is a natural solution to consider, but again has significant overhead, since all syscalls must be audited by the attached seccomp handler. Although seccomp handlers are eBPF programs and may be JIT compiled, the performance cost isn’t zero.
Seccomp gained the ability to fast-path syscalls in 5.12 (I think), and ones that will always end in success. The other thing is that seccomp filters are written in cBPF (although compiled to eBPF under the hood).
Just a comment:
> Two other frequently cited options are to use seccomp and network namespaces for this task. Seccomp is a natural solution to consider, but again has significant overhead, since all syscalls must be audited by the attached seccomp handler. Although seccomp handlers are eBPF programs and may be JIT compiled, the performance cost isn’t zero.
Seccomp gained the ability to fast-path syscalls in 5.12 (I think), and ones that will always end in success. The other thing is that seccomp filters are written in cBPF (although compiled to eBPF under the hood).