seccomp (short for secure computing) is a

computer security Computer security (also cybersecurity, digital security, or information technology (IT) security) is a subdiscipline within the field of information security. It consists of the protection of computer software, systems and computer network, n ...

facility in the

Linux kernel The Linux kernel is a Free and open-source software, free and open source Unix-like kernel (operating system), kernel that is used in many computer systems worldwide. The kernel was created by Linus Torvalds in 1991 and was soon adopted as the k ...

. seccomp allows a

process A process is a series or set of activities that interact to produce a result; it may occur once-only or be recurrent or periodic. Things called a process include: Business and management * Business process, activities that produce a specific s ...

to make a one-way transition into a "secure" state where it cannot make any

system call In computing, a system call (syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, accessing a hard disk drive ...

s except exit(), sigreturn(), read() and write() to already-open

file descriptor In Unix and Unix-like computer operating systems, a file descriptor (FD, less frequently fildes) is a process-unique identifier (handle) for a file or other input/output resource, such as a pipe or network socket. File descriptors typically h ...

s. Should it attempt any other system calls, the kernel will either just log the event or terminate the process with

SIGKILL Signals are standardized messages sent to a running program to trigger specific behavior, such as quitting or error handling. They are a limited form of inter-process communication (IPC), typically used in Unix, Unix-like, and other POSIX-comp ...

or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely. seccomp mode is enabled via the system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17) via the system call. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl(). In some kernel versions, seccomp disables the RDTSC

x86 x86 (also known as 80x86 or the 8086 family) is a family of complex instruction set computer (CISC) instruction set architectures initially developed by Intel, based on the 8086 microprocessor and its 8-bit-external-bus variant, the 8088. Th ...

instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing. seccomp-bpf is an extension to seccomp that allows filtering of system calls using a configurable policy implemented using

Berkeley Packet Filter The Berkeley Packet Filter (BPF; also BSD Packet Filter, classic BPF or cBPF) is a network tap and packet filter which permits computer network packets to be captured and filtered at the operating system level. It provides a raw interface to da ...

rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on

ChromeOS ChromeOS, sometimes styled as chromeOS and formerly styled as Chrome OS, is an operating system designed and developed by Google. It is derived from the open-source operating system and uses the Google Chrome web browser as its principal user ...

and Linux. (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systrace—which seems to be no longer supported for

Linux Linux ( ) is a family of open source Unix-like operating systems based on the Linux kernel, an kernel (operating system), operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically package manager, pac ...

.) Some consider seccomp comparable to

OpenBSD OpenBSD is a security-focused operating system, security-focused, free software, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by fork (software development), forking NetBSD ...

pledge(2) and

FreeBSD FreeBSD is a free-software Unix-like operating system descended from the Berkeley Software Distribution (BSD). The first version was released in 1993 developed from 386BSD, one of the first fully functional and free Unix clones on affordable ...

capsicum ''Capsicum'' () is a genus of flowering plants in the Solanum, nightshade family Solanaceae, native to the Americas, cultivated worldwide for their edible fruit, which are generally known as "peppers" or "capsicum". Chili peppers grow on five s ...

(4).

History

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public

grid computing Grid computing is the use of widely distributed computer resources to reach a common goal. A computing grid can be thought of as a distributed system with non-interactive workloads that involve many files. Grid computing is distinguished fro ...

and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.

Software using seccomp or seccomp-bpf

* Android uses a seccomp-bpf filter in the zygote since Android 8.0 Oreo. *

systemd systemd is a software suite that provides an array of system components for Linux operating systems. The main aim is to unify service configuration and behavior across Linux distributions. Its primary component is a "system and service manage ...

's sandboxing options are based on seccomp. *

QEMU The Quick Emulator (QEMU) is a free and open-source emulator that uses dynamic binary translation to emulate a computer's processor; that is, it translates the emulated binary codes to an equivalent binary format which is executed by the mach ...

, the Quick Emulator, the core component to the modern virtualization together with KVM uses seccomp on the parameter --sandbox * Docker – software that allows applications to run inside of isolated containers. Docker can associate a seccomp profile with the container using the --security-opt parameter. * Arcangeli's CPUShare was the only known user of seccomp for a while. Writing in February 2009,

Linus Torvalds Linus Benedict Torvalds ( , ; born 28 December 1969) is a Finnish software engineer who is the creator and lead developer of the Linux kernel. He also created the distributed version control system Git. He was honored, along with Shinya Yam ...

expresses doubt whether seccomp is actually used by anyone. However, a

Google Google LLC (, ) is an American multinational corporation and technology company focusing on online advertising, search engine technology, cloud computing, computer software, quantum computing, e-commerce, consumer electronics, and artificial ...

engineer replied that Google is exploring using seccomp for

sandbox A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic. Sandbox or sand box may also refer to: Arts, entertainment, and media * Sandbox (band), a Canadian rock music group * Sandbox (Gu ...

ing its Chrome web browser. * Firejail is an open source Linux sandbox program that utilizes Linux namespaces, Seccomp, and other kernel-level security features to sandbox Linux and

Wine Wine is an alcoholic drink made from Fermentation in winemaking, fermented fruit. Yeast in winemaking, Yeast consumes the sugar in the fruit and converts it to ethanol and carbon dioxide, releasing heat in the process. Wine is most often made f ...

applications. * As of Chrome version 20, seccomp-bpf is used to sandbox

Adobe Flash Player Adobe Flash Player (known in Internet Explorer, Firefox, and Google Chrome as Shockwave Flash) is a discontinuedExcept in China, where it continues to be used, as well as Harman for enterprise users. computer program for viewing multimedia ...

. * As of Chrome version 23, seccomp-bpf is used to sandbox the renderers. * Snap specify the shape of their application sandbox using "interfaces" which snapd translates to seccomp, AppArmor and other security constructs * vsftpd uses seccomp-bpf sandboxing as of version 3.0.0. * OpenSSH has supported seccomp-bpf since version 6.0. * Mbox uses ptrace along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone. * LXD, a

Ubuntu Ubuntu ( ) is a Linux distribution based on Debian and composed primarily of free and open-source software. Developed by the British company Canonical (company), Canonical and a community of contributors under a Meritocracy, meritocratic gover ...

hypervisor A hypervisor, also known as a virtual machine monitor (VMM) or virtualizer, is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called ...

" for containers *

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements curr ...

and

Firefox OS Firefox OS (project name: ''Boot to Gecko'', also known as ''B2G'') is a discontinued Open-source software, open-source operating system made for smartphones, tablet computers, smart TVs, and Matchstick TV, dongles designed by Mozilla and exte ...

, which use seccomp-bpf *

Tor Tor, TOR or ToR may refer to: Places * Toronto, Canada ** Toronto Raptors * Tor, Pallars, a village in Spain * Tor, former name of Sloviansk, Ukraine, a city * Mount Tor, Tasmania, Australia, an extinct volcano * Tor Bay, Devon, England * Tor ...

supports seccomp since 0.2.5.1-alpha * Lepton, a

JPEG JPEG ( , short for Joint Photographic Experts Group and sometimes retroactively referred to as JPEG 1) is a commonly used method of lossy compression for digital images, particularly for those images produced by digital photography. The degr ...

compression tool developed by

Dropbox Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, that offers cloud storage, file synchronization, personal cloud, and Client (computing), client software. Dropbox w ...

uses seccomp * Kafel is a configuration language, which converts readable policies into seccompb-bpf

bytecode Bytecode (also called portable code or p-code) is a form of instruction set designed for efficient execution by a software interpreter. Unlike human-readable source code, bytecodes are compact numeric codes, constants, and references (normal ...

* Subgraph OS uses seccomp-bpf * Flatpak uses seccomp for

process isolation Process isolation is a set of different hardware and software technologies designed to protect each process from other processes on the operating system. It does so by preventing process A from writing to process B. Process isolation can be implem ...

* Bubblewrap is a lightweight sandbox application developed from Flatpak * minijail uses seccomp for process isolation * SydBox uses seccomp-bpf to improve the runtime and security of the ptrace sandboxing used to sandbox package builds on Exherbo Linux distribution. * File, a Unix program to determine filetypes, uses seccomp to restrict its runtime environment * Zathura, a minimalistic document viewer, uses seccomp filter to implement different sandbox modes * Tracker, a indexing and preview application for the GNOME desktop environment, uses seccomp to prevent automatic exploitation of parsing vulnerabilities in media files

References

External links

Official website (Archived)

Google's Chromium sandbox
LWN.net, August 2009, by Jake Edge
seccomp-nurse
a sandboxing framework based on seccomp
Documentation/prctl/seccomp_filter.txt
part of the

documentation
Security In-Depth for Linux Software: Preventing and Mitigating Security Bugs
{{Linux Linux kernel features Computer security Cybersecurity engineering