Don't commit this yet :)
Created attachment 243961 [details] Patch
Created attachment 249291 [details] [GTK] Enable seccomp filters by default
Created attachment 249292 [details] [GTK] Enable seccomp filters by default
The current seccomp filters code does not provide any meaningful security, and is certainly worse than no sandbox at all due to the high likelihood that it will unexpectedly break something by inappropriately denying access to a file. We might be better off deleting all this code and starting from scratch (perhaps using mount namespaces), rather than try to enforce a filesystem access policy with seccomp filters. We should use seccomp filters to enforce a short syscall blacklist regardless, but that is much simpler than what we have now, and none of the current code is useful for that. (A syscall whitelist -- the approach I attempted -- is far to fragile.)
The idea of trying something with seccomp was because at the time it was the only mechanism available in many distros that wouldn't require special privileges to create the sandbox. Obviously trapping just a few syscalls won't give much, but the plan was to incrementally grow and add more filters.