Seccomp

Linux Syscall

Tags: linux security programming sandboxing

Reading time: less than 1 minute

Modes
- Strict mode
- Filter mode

seccomp, or secure computing, is a Linux syscall that aims to improve system security. By using seccomp, a process can limit the system calls available to itself.

seccomp server a similar purpose to the pledge syscall available on OpenBSD and Serenity OS.

Modes

There are two seccomp modes with different trade-offs, these are called Strict Mode and Filter Mode.

Strict mode

Strict mode is the original seccomp mode that was available before the introduction of filter mode. In strict mode, the only system calls that a process is permitted to make are read, write, exit and sigreturn. Attempting to perform any other system call results in the process getting terminated with a SIGKILL.

Filter mode

Filter mode allows more granular control of system calls by checking every syscall through a BPF program.

Citation

If you find this work useful, please cite it as:

@article{yaltirakliwikiseccomp,
  title   = "Seccomp",
  author  = "Yaltirakli, Gokberk",
  journal = "gkbrk.com",
  year    = "2023",
  url     = "https://www.gkbrk.com/wiki/seccomp/"
}

Not using BibTeX? Click here for more citation styles.

IEEE Citation

Gokberk Yaltirakli, "Seccomp", September, 2023. [Online]. Available: https://www.gkbrk.com/wiki/seccomp/. [Accessed Sep. 27, 2023].

APA Style

Yaltirakli, G. (2023, September 27). Seccomp. https://www.gkbrk.com/wiki/seccomp/

Bluebook Style

Gokberk Yaltirakli, Seccomp, GKBRK.COM (Sep. 27, 2023), https://www.gkbrk.com/wiki/seccomp/

Comments

Follow me around

📡 RSS
🐦 Twitter
💻 GitHub
💼 LinkedIn
📧 Email
🔁 Mastodon

Get notified of new posts

(or use RSS)