seccomp
What is seccomp?
seccompA Linux kernel facility that restricts which system calls a process can make, with the modern seccomp-BPF/eBPF mode enabling fine-grained per-syscall filters.
seccomp (secure computing mode) was added to Linux 2.6.12 in 2005 as a coarse 'strict' mode that limits a process to read, write, exit, and sigreturn. The modern seccomp-BPF mode, available since Linux 3.5 (2012), lets a process install a classic BPF program (or, more recently, eBPF) that inspects each system-call number and arguments and returns ALLOW, ERRNO, TRAP, KILL, or USER_NOTIF. Filters are inherited across fork/execve, cannot be relaxed once installed, and require either CAP_SYS_ADMIN or PR_SET_NO_NEW_PRIVS. seccomp is the syscall-filtering backbone of Docker, containerd, Kubernetes, systemd, Chrome and Firefox sandboxes, Android Zygote, OpenSSH privsep, and Linux microVMs such as Firecracker.
● Examples
- 01
The default Docker seccomp profile blocks ~44 dangerous syscalls.
- 02
Firefox's content process uses seccomp-BPF to drop almost all syscalls.
● Frequently asked questions
What is seccomp?
A Linux kernel facility that restricts which system calls a process can make, with the modern seccomp-BPF/eBPF mode enabling fine-grained per-syscall filters. It belongs to the Cryptography category of cybersecurity.
What does seccomp mean?
A Linux kernel facility that restricts which system calls a process can make, with the modern seccomp-BPF/eBPF mode enabling fine-grained per-syscall filters.
How does seccomp work?
seccomp (secure computing mode) was added to Linux 2.6.12 in 2005 as a coarse 'strict' mode that limits a process to read, write, exit, and sigreturn. The modern seccomp-BPF mode, available since Linux 3.5 (2012), lets a process install a classic BPF program (or, more recently, eBPF) that inspects each system-call number and arguments and returns ALLOW, ERRNO, TRAP, KILL, or USER_NOTIF. Filters are inherited across fork/execve, cannot be relaxed once installed, and require either CAP_SYS_ADMIN or PR_SET_NO_NEW_PRIVS. seccomp is the syscall-filtering backbone of Docker, containerd, Kubernetes, systemd, Chrome and Firefox sandboxes, Android Zygote, OpenSSH privsep, and Linux microVMs such as Firecracker.
How do you defend against seccomp?
Defences for seccomp typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for seccomp?
Common alternative names include: seccomp-BPF, secure computing mode.
● Related terms
- cryptography№ 1006
SELinux
Security-Enhanced Linux, an NSA-developed mandatory access control framework implemented via the Linux Security Module hooks and a type-enforcement policy.
- cryptography№ 053
AppArmor
A path-based mandatory access control system for Linux, used by Ubuntu and SUSE as a simpler alternative to SELinux for confining individual programs.
- cloud-security№ 213
Container Security
The practice of securing container images, registries, orchestrators, and the runtime in which containers execute.