Is there something like seccomp that works on Windows?
It should limit all syscalls to some very limited set, like only reading and writing to already opened files.
The one described as sandbox for Chromium does not look like Seccomp, as it is based on usual file permissions and Windows security objects, not on limiting access to syscalls.
No, there is nothing like seccomp that works on Windows. The closest there is are traditional permissions which disable certain privileged syscalls. But currently, there is no way to whitelist or blacklist entire arbitrary syscalls, or syscall arguments on Windows.
Since Windows 8 you can block all calls from win32k.sys with DisallowWin32kSystemCalls flag in PROCESS_MITIGATION_SYSTEM_CALL_DISABLE_POLICY structure.
You can't gradually control system calls as it in seccomp, but this is still an interesting feature.
