Menu
Home
People
Places
Arts
History
Plants & Animals
Science
Life & Culture
Technology
Reference.org
seccomp
open-in-new
<p>seccomp (short for secure computing) is a <a href="/facts/Computer_security/7E5dIy7G">computer security</a> facility in the <a href="/facts/Linux_kernel/dlkduHuA">Linux kernel</a>. seccomp allows a <a href="/facts/Process_(computing)/Vcq7EnUV">process</a> to make a one-way transition into a "secure" state where it cannot make any <a href="/facts/System_call/NW44AFJr">system calls</a> except exit(), sigreturn(), read() and write() to already-open <a href="/facts/File_descriptor/Iw74UKqG">file descriptors</a>. Should it attempt any other system calls, the kernel will either just log the event or terminate the process with <a href="/facts/SIGKILL/IN6VK6r8">SIGKILL</a> or <a href="/facts/SIGSYS/IN6VK6r8">SIGSYS</a>. In this sense, it does not <a href="/facts/Virtual_machine/BLevU3sx">virtualize</a> the system's resources but isolates the process from them entirely. </p><p>seccomp mode is enabled via the <a href="https://manned.org/prctl.2">prctl(2)</a> system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17) via the <a href="https://manned.org/seccomp.2">seccomp(2)</a> system call. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl(). In some kernel versions, seccomp disables the <a href="/facts/RDTSC/THy8g17s">RDTSC</a> <a href="/facts/X86/Kypq5fgu">x86</a> instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing. </p><p>seccomp-bpf is an extension to seccomp that allows filtering of system calls using a configurable policy implemented using <a href="/facts/Berkeley_Packet_Filter/G9AHJjCr">Berkeley Packet Filter</a> rules. It is used by <a href="/facts/OpenSSH/2qxJ3Fe7">OpenSSH</a> and <a href="/facts/Vsftpd/Ttf6deV6">vsftpd</a> as well as the Google <a href="/facts/Chrome_web_browser/4INfWq37">Chrome/Chromium</a> web browsers on <a href="/facts/ChromeOS/zH0B5Xtk">ChromeOS</a> and Linux. (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older <a href="/facts/Systrace/wKpBbLuL">systrace</a>—which seems to be no longer supported for <a href="/facts/Linux/9FvCKSTq">Linux</a>.) </p><p>Some consider seccomp comparable to <a href="/facts/OpenBSD/xmPS9tek">OpenBSD</a> pledge(2) and <a href="/facts/FreeBSD/RKsFTm7F">FreeBSD</a> <a href="/facts/Capsicum_(Unix)/ohzldPcz">capsicum</a>(4). </p>