Seccomp

Table of Contents

Last updated at July 20, 2018

Seccomp

Seccomp is short for secure computing mode. This feature is available since Linux version 2.6.12 and provides fairly simple sandboxing capabilities. When a process enables seccomp, the number of system calls will be limited to exit(), read(), sigreturn(), and write().

Seccomp-BPF

Seccomp-BPF is an extension to seccomp and available since Linux version 3.5. It allows filtering of system calls using BPF (Berkeley Packet Filter). The filters define which system calls can be used. It can even filter on system call arguments.