=== modified file 'init/job_process.c'
--- init/job_process.c	2013-02-14 02:54:10 +0000
+++ init/job_process.c	2013-02-19 23:44:43 +0000
@@ -66,6 +66,7 @@
 #include "job.h"
 #include "errors.h"
 #include "control.h"
+#include "seccomp_filter.h"
 #include "xdg.h"
 
 
@@ -905,6 +906,33 @@
 		}
 	}
 
+	/* Install seccomp_filter if applicable. All system calls that are
+	 * required to setup the job should precede this.
+	 */
+	if (class->seccomp_filter) {
+		int   nnp    = 1;
+		int   rcount = 0;
+		int   invert = 0;
+		char *pos;
+		char *rules  = class->seccomp_filter;
+
+		if (*rules == '~') {
+			invert = 1;
+			rules++;
+		}
+
+		/* Count seccomp rules */
+		for (const char *s = rules; (pos = strpbrk(s, SEPARATORS)) != NULL;
+		     s = pos + 1)
+		     rcount++;
+		
+		/* One rule remaining after the last ',' */
+		rcount++;
+		
+		/* Install seccomp filter based on the rules given */
+		install_seccomp_filter(rcount, rules, invert, nnp, SEPARATORS);
+	}
+
 	/* Execute the process, if we escape from here it failed */
 	if (execvp (argv[0], argv) < 0) {
 		nih_error_raise_system ();