If //CONFIG_PACKAGE_procd-seccomp=y//, procd will be built with //-DSECCOMP_SUPPORT//.
In practice, this means that if some service’s init script tries to set a seccomp policy, procd will call the ///sbin/seccomp-trace// binary ([[https://git.openwrt.org/?p=project/procd.git;a=blob;f=service/instance.c;h=8cabedb8b0fd789fb0686c7b4a9f35ec3abfd441;hb=HEAD#l489|relevant code]]). The problem is that this binary, which is part of procd, is not installed by the //procd// package, it is contained in a separate //procd-seccomp// package. So, the service which tries to set the policy will fail to start.
I can see the following options:
Any package that wants to do //procd_set_param seccomp// in its init script needs to explicitly depend on //procd-seccomp// (and this needs to be documented somewhere).
Init scripts should request seccomp conditionally, only if it is available (if //procd-seccomp// is installed? or what should the test be?).
//procd-seccomp// needs to be installed by default whenever //CONFIG_PACKAGE_procd-seccomp=y//.