seccomp (short forsecure computing[1]) is acomputer security facility in theLinux kernel. seccomp allows aprocess to make a one-way transition into a "secure" state where it cannot make anysystem calls exceptexit(),sigreturn(),read() andwrite() to already-openfile descriptors. Should it attempt any other system calls, the kernel will either just log the event or terminate the process withSIGKILL orSIGSYS.[2][3] In this sense, it does notvirtualize the system's resources but isolates the process from them entirely.
seccomp mode is enabled via theprctl(2) system call using thePR_SET_SECCOMP argument, or (since Linux kernel 3.17[4]) via theseccomp(2) system call.[5] seccomp mode used to be enabled by writing to a file,/proc/self/seccomp, but this method was removed in favor ofprctl().[6] In some kernel versions, seccomp disables theRDTSCx86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing.[7]
seccomp-bpf is an extension to seccomp[8] that allows filtering of system calls using a configurable policy implemented usingBerkeley Packet Filter rules. It is used byOpenSSH[9] andvsftpd as well as the GoogleChrome/Chromium web browsers onChromeOS and Linux.[10] (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the oldersystrace—which seems to be no longer supported forLinux.)
seccomp was first devised by Andrea Arcangeli in January 2005 for use in publicgrid computing and was originally intended as a means of safely runninguntrusted compute-bound programs. It was merged into theLinux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.[11]
QEMU, the Quick Emulator, the core component to the modern virtualization together withKVM uses seccomp on the parameter--sandbox[14]
Docker – software that allows applications to run inside of isolated containers. Docker can associate a seccomp profile with the container using the--security-opt parameter.
Arcangeli's CPUShare was the only known user of seccomp for a while.[15] Writing in February 2009,Linus Torvalds expresses doubt whether seccomp is actually used by anyone.[16] However, aGoogle engineer replied that Google is exploring using seccomp forsandboxing itsChrome web browser.[17][18]
Firejail is an open source Linux sandbox program that utilizesLinux namespaces, Seccomp, and other kernel-level security features to sandbox Linux andWine applications.[19]
Bubblewrap is a lightweight sandbox application developed fromFlatpak[35]
minijail[36] uses seccomp for process isolation[37]
SydBox uses seccomp-bpf[38] to improve the runtime and security of the ptrace sandboxing used to sandbox package builds on Exherbo Linux distribution.
File, a Unix program to determine filetypes, uses seccomp to restrict its runtime environment[39]
Zathura, a minimalistic document viewer, uses seccomp filter to implement different sandbox modes[40]
Tracker, a indexing and preview application for the GNOME desktop environment, uses seccomp to prevent automatic exploitation of parsing vulnerabilities in media files[41]
