It's in seccomp wheezy-backports. I don't know about seccomp. Is it enough to install the package and all applications making use of it will benefit from it?
Yes thats how it works.
A proposal which warrant its own thread -
If we want to add filters for other software that doesn’t make use of it by default for further hardeining (like what you are doing with Apparmor profiles) see:
It’s only available in wheezy-backports. I would have to do the same as with python-stem. Each time there is an update of that package, I would have to upload the updated version to Whonix. It’s all possible, but delays Whonix 9 release and all adds up to maintenance effort. I guess it’s best to wait for the next version of Debian, when this package can be installed and updated from Debain stable, maintained by the Debian developers.
How much gain would we get from that effort? What package are using seccomp?
Lets keep it on the backburner but not forget about it.
What is to remember here? I haven't found comments, that some setting has to be changed to enable seccomp. Once Whonix is based on wheezy+1, a newer kernel will be used and we will profit transparently and automatically profit from seccomp? Nothing to do here?
That’s a discussion for https://whonix.org/forum/index.php/topic,97.0.html directed to troubadour. Getting upstream (TPO) to pick something up seems difficult. When troubadour does something here, I give it some feedback and testing in timely manner. Upstream seems overworked. Not leaving feedback. By the time they eventually(!) leave feedback, you already forgot about what you did and might have lost interest and motivation because of the time lag.
What however could make sense is working with Micah Lee, who is interested in an AppArmor profile and more responsive. See:
It depends on troubadour to be motivated for this. I don’t take offense either way, of course.