The Linux kernel will (hopefully) soon support "seccomp filter" (or "mode 2 seccomp"). Ubuntu 12.04 LTS has it available now, and Chrome OS will be using it shortly. This document is designed as a quick-start guide for software authors that want to take advantage of this security feature. In the simplest terms, it allows a program to declare ahead of time which system calls it expects to use, so that if an attacker gains arbitrary code execution, they cannot poke at any unexpected system calls.