seccomp (short for secure computing mode) is a

computer security Computer security, cybersecurity (cyber security), or information technology security (IT security) is the protection of computer systems and networks from attack by malicious actors that may result in unauthorized information disclosure, t ...

facility in the

Linux kernel The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU ...

. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any

system call In computing, a system call (commonly abbreviated to syscall) is the programmatic way in which a computer program requests a service from the operating system on which it is executed. This may include hardware-related services (for example, acc ...

s except exit(), sigreturn(), read() and write() to already-open

file descriptor In Unix and Unix-like computer operating systems, a file descriptor (FD, less frequently fildes) is a process-unique identifier ( handle) for a file or other input/output resource, such as a pipe or network socket. File descriptors typically ha ...

s. Should it attempt any other system calls, the kernel will either just log the event or terminate the process with

SIGKILL Signals are standardized messages sent to a running program to trigger specific behavior, such as quitting or error handling. They are a limited form of inter-process communication (IPC), typically used in Unix, Unix-like, and other POSIX-co ...

or SIGSYS. In this sense, it does not virtualize the system's resources but isolates the process from them entirely. seccomp mode is enabled via the system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17) via the system call. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl(). In some kernel versions, seccomp disables the RDTSC x86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing. seccomp-bpf is an extension to seccomp that allows filtering of system calls using a configurable policy implemented using

Berkeley Packet Filter The Berkeley Packet Filter (BPF) is a technology used in certain computer operating systems for programs that need to, among other things, analyze network traffic. It provides a raw interface to data link layers, permitting raw link-layer packets ...

rules. It is used by

OpenSSH OpenSSH (also known as OpenBSD Secure Shell) is a suite of secure networking utilities based on the Secure Shell (SSH) protocol, which provides a secure channel over an unsecured network in a client–server architecture. Network Working Gro ...

and

vsftpd vsftpd, (or very secure FTP daemon), is an FTP server for Unix-like systems, including Linux. It is the default FTP server in the Ubuntu, CentOS, Fedora, NimbleX, Slackware and RHEL Linux distributions. It is licensed under the GNU General Publ ...

as well as the Google Chrome/Chromium web browsers on

ChromeOS ChromeOS, sometimes stylized as chromeOS and formerly styled as Chrome OS, is a Linux-based operating system designed by Google. It is derived from the open-source ChromiumOS and uses the Google Chrome web browser as its principal user interfa ...

and Linux. (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older

systrace Systrace is a computer security utility which limits an application's access to the system by enforcing access policies for system calls. This can mitigate the effects of buffer overflows and other security vulnerabilities. It was developed by N ...

—which seems to be no longer supported for

Linux Linux ( or ) is a family of open-source Unix-like operating systems based on the Linux kernel, an operating system kernel first released on September 17, 1991, by Linus Torvalds. Linux is typically packaged as a Linux distribution, whi ...

.) Some consider seccomp comparable to

OpenBSD OpenBSD is a security-focused, free and open-source, Unix-like operating system based on the Berkeley Software Distribution (BSD). Theo de Raadt created OpenBSD in 1995 by forking NetBSD 1.0. According to the website, the OpenBSD project e ...

pledge(2) and

FreeBSD FreeBSD is a free and open-source Unix-like operating system descended from the Berkeley Software Distribution (BSD), which was based on Research Unix. The first version of FreeBSD was released in 1993. In 2005, FreeBSD was the most popular ...

capsicum ''Capsicum'' () is a genus of flowering plants in the nightshade family Solanaceae, native to the Americas, cultivated worldwide for their chili pepper or bell pepper fruit. Etymology and names The generic name may come from Latin , me ...

(4).

History

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public

grid computing Grid computing is the use of widely distributed computer resources to reach a common goal. A computing grid can be thought of as a distributed system with non-interactive workloads that involve many files. Grid computing is distinguished from ...

and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the

Linux kernel mainline The Linux kernel is a free and open-source, monolithic, modular, multitasking, Unix-like operating system kernel. It was originally authored in 1991 by Linus Torvalds for his i386-based PC, and it was soon adopted as the kernel for the GNU o ...

in kernel version 2.6.12, which was released on March 8, 2005.

Software using seccomp or seccomp-bpf

* Android uses a seccomp-bpf filter in the zygote since

Android 8.0 Android Oreo ( codenamed Android O during development) is the eighth major release and the 15th version of the Android mobile operating system. It was first released as an alpha quality developer preview in March 2017 and released to the pub ...

Oreo. *

systemd systemd is a software suite that provides an array of system components for Linux operating systems. Its main aim is to unify service configuration and behavior across Linux distributions; Its primary component is a "system and service manag ...

's sandboxing options are based on seccomp. *

QEMU QEMU is a free and open-source emulator (Quick EMUlator). It emulates the machine's central processing unit, processor through dynamic binary translation and provides a set of different hardware and device models for the machine, enabling it t ...

, the Quick Emulator, the core component to the modern virtualization together with KVM uses seccomp on the parameter --sandbox * Docker – software that allows applications to run inside of isolated containers. Docker can associate a seccomp profile with the container using the --security-opt parameter. * Arcangeli's CPUShare was the only known user of seccomp for a while. Writing in February 2009,

Linus Torvalds Linus Benedict Torvalds ( , ; born 28 December 1969) is a Finnish software engineer who is the creator and, historically, the lead developer of the Linux kernel, used by Linux distributions and other operating systems such as Android. He also ...

expresses doubt whether seccomp is actually used by anyone. However, a

Google Google LLC () is an American Multinational corporation, multinational technology company focusing on Search Engine, search engine technology, online advertising, cloud computing, software, computer software, quantum computing, e-commerce, ar ...

engineer replied that Google is exploring using seccomp for

sandbox A sandbox is a sandpit, a wide, shallow playground construction to hold sand, often made of wood or plastic. Sandbox or Sand box may also refer to: Arts, entertainment, and media * Sandbox (band), a Canadian rock music group * ''Sand ...

ing its Chrome web browser. * Firejail is an open source Linux sandbox program that utilizes

Linux namespaces Namespaces are a feature of the Linux kernel that partitions kernel resources such that one set of processes sees one set of resources while another set of processes sees a different set of resources. The feature works by having the same nam ...

, Seccomp, and other kernel-level security features to sandbox Linux and

Wine Wine is an alcoholic drink typically made from Fermentation in winemaking, fermented grapes. Yeast in winemaking, Yeast consumes the sugar in the grapes and converts it to ethanol and carbon dioxide, releasing heat in the process. Different ...

applications. * As of Chrome version 20, seccomp-bpf is used to sandbox

Adobe Flash Player Adobe Flash Player (known in Internet Explorer, Firefox, and Google Chrome as Shockwave Flash) is computer software for viewing multimedia contents, executing rich Internet applications, and streaming audio and video content created on ...

. * As of Chrome version 23, seccomp-bpf is used to sandbox the renderers. * Snap specify the shape of their application sandbox using "interfaces" which snapd translates to seccomp,

AppArmor AppArmor ("Application Armor") is a Linux kernel security module that allows the system administrator to restrict programs' capabilities with per-program profiles. Profiles can allow capabilities like network access, raw socket access, and the ...

and other security constructs *

uses seccomp-bpf sandboxing as of version 3.0.0. *

has supported seccomp-bpf since version 6.0. * Mbox uses

ptrace ptrace is a system call found in Unix and several Unix-like operating systems. By using ptrace (the name is an abbreviation of "process trace") one process can control another, enabling the controller to inspect and manipulate the internal state ...

along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone. * LXD, a

Ubuntu Ubuntu ( ) is a Linux distribution based on Debian and composed mostly of free and open-source software. Ubuntu is officially released in three editions: '' Desktop'', ''Server'', and ''Core'' for Internet of things devices and robots. All ...

hypervisor A hypervisor (also known as a virtual machine monitor, VMM, or virtualizer) is a type of computer software, firmware or hardware that creates and runs virtual machines. A computer on which a hypervisor runs one or more virtual machines is called ...

" for containers *

Firefox Mozilla Firefox, or simply Firefox, is a free and open-source web browser developed by the Mozilla Foundation and its subsidiary, the Mozilla Corporation. It uses the Gecko rendering engine to display web pages, which implements current ...

and

Firefox OS Firefox OS (project name: ''Boot to Gecko'', also known as ''B2G'') is a discontinued open-source operating system made for smartphones, tablet computers, smart TVs, and dongles designed by Mozilla and external contributors. It is based on the ...

, which use seccomp-bpf * Tor supports seccomp since 0.2.5.1-alpha * Lepton, a

JPEG JPEG ( ) is a commonly used method of lossy compression for digital images, particularly for those images produced by digital photography. The degree of compression can be adjusted, allowing a selectable tradeoff between storage size and imag ...

compression tool developed by

Dropbox Dropbox is a file hosting service operated by the American company Dropbox, Inc., headquartered in San Francisco, California, U.S. that offers cloud storage, file synchronization, personal cloud, and client software. Dropbox was founded in 2007 ...

uses seccomp * Kafel is a configuration language, which converts readable policies into seccompb-bpf

bytecode Bytecode (also called portable code or p-code) is a form of instruction set designed for efficient execution by a software interpreter. Unlike human-readable source code, bytecodes are compact numeric codes, constants, and references (norma ...

* Subgraph OS uses seccomp-bpf *

Flatpak Flatpak, formerly known as xdg-app, is a utility for software deployment and package management for Linux. It is advertised as offering a sandbox environment in which users can run application software in isolation from the rest of the system. ...

uses seccomp for

process isolation Process isolation is a set of different hardware and software technologies designed to protect each computer process, process from other processes on the operating system. It does so by preventing process A from writing to process B. Process isolat ...

* Bubblewrap is a lightweight sandbox application developed from

* minijail uses seccomp for process isolation * SydBox uses seccomp-bpf to improve the runtime and security of the ptrace sandboxing used to sandbox package builds on Exherbo Linux distribution. * File, a Unix program to determine filetypes, uses seccomp to resctrict its runtime environment *

Zathura ''Zathura'' is a 2002 science fiction children's literature, children's picture book written and illustrated by American author Chris Van Allsburg. In the story, two boys are drawn into an intergalactic space adventure when their house is magic ...

, a minimalistic document viewer, uses seccomp filter to implement different sandbox modes * Gnome Tracker, a indexing and preview application for the Gnome Desktop Environment, uses seccomp to prevent automatic exploitation of parsing vulnerabilities in media files

References

External links

Official website (Archived)

Google's Chromium sandbox
LWN.net, August 2009, by Jake Edge
seccomp-nurse
a sandboxing framework based on seccomp
Documentation/prctl/seccomp_filter.txt
part of the

documentation
Security In-Depth for Linux Software: Preventing and Mitigating Security Bugs
{{Linux Linux kernel features Computer security