#include <sys/prctl.h>
#include <linux/filter.h>
#include <linux/seccomp.h>
#include <sys/ptrace.h>
#include <stdio.h>
#include <unistd.h>

int main(void)
{
	int status;
	char *const argv[] = { "/bin/echo", "OK", NULL };

	struct sock_filter filter[] = {
		BPF_STMT(BPF_RET + BPF_K, SECCOMP_RET_ALLOW)
	};

	struct sock_fprog program = {
		.len = 1,
		.filter = filter,
	};

	status = prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0);
	if (status < 0) {
		perror("prctl(PR_SET_NO_NEW_PRIVS)");
		goto end;
	}

	status = prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &program);
	if (status < 0) {
		perror("prctl(PR_SET_SECCOMP)");
		goto end;
	}

	status = execve(argv[0], argv, NULL);
	perror("execve()");

end:
	printf("status = %d\n", status);
	return status;
}