Rahul Sharma


Updated on
Share on FacebookTweet on TwitterShare on LinkedIn
Original author(s)  Andrea Arcangeli
Written in  C
Type  Sandboxing
Development status  mainlined
Operating system  Linux
Initial release  March 8, 2005; 12 years ago (2005-03-08)

seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL. In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the prctl(2) system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17) via the seccomp(2) system call. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl(). In some kernel versions, seccomp disables the RDTSC x86 instruction.

seccomp-bpf is an extension to seccomp that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on Chrome OS and Linux. (In this regard seccomp-bpf achieves similar functionality to the older systrace—which seems to be no longer supported for Linux).

Software using seccomp

  • One of the most prominent software solutions using seccomp is Docker. Docker is an open source project, primarily backed by Docker Inc., that enables software to run inside of isolated containers. When a Docker container is created, using docker run or docker create sub-commands, a seccomp profile can be associated with the container using the --security-opt parameter.
  • seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs.
  • Arcangeli's CPUShare was the only known user of this feature. Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone. However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser.
  • Firejail is an open source Linux sandbox program that utilizes Linux Namespaces, Seccomp, and other kernel-level security features to sandbox Linux and Wine applications.
  • As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player.
  • As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.
  • Snap (packages) specify the shape of their application sandbox using 'interfaces' which snapd translates to seccomp, apparmor and other security constructs
  • vsftpd uses seccomp-bpf sandboxing as of version 3.0.0.
  • OpenSSH has supported seccomp-bpf since version 6.0.
  • Mbox uses ptrace along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone.
  • LXD, an Ubuntu "hypervisor" for containers
  • Firefox and Firefox OS, which use seccomp-bpf
  • Cjdns uses seccomp-bpf as one of its sandbox mechanisms, filtering the system calls it performs on a Linux system, and strictly limiting its access to the outside world.
  • Tor supports seccomp since
  • Lepton, a JPEG compression tool developed by Dropbox uses seccomp
  • Kafel is a configuration language, which converts readable policies into seccompb-bpf bytecode
  • Subgraph OS uses seccomp-bpf
  • Flatpak uses seccomp for process isolation
  • References

    Seccomp Wikipedia

    Similar Topics
    Herbert Benson
    Annika Mombauer