What is seccomp?

Seccomp is short for secure computing mode. This feature is available since Linux version 2.6.12 and provides fairly simple sandboxing capabilities. When a process enables seccomp, the number of system calls will be limited. The only allowed system calls are exit(), read(), sigreturn(), and write().

Seccomp-BPF is an extension to seccomp. It is available since Linux version 3.5 and backported to other versions. It allows specific filtering of system calls using BPF (Berkeley Packet Filter). Using these filters, it can define allow or deny a set of system calls. It can also filter on system call arguments.

Security tools

The following security tools are linked to seccomp and are worth investigating.

  • Karn (create AppArmor and seccomp profiles)