Seccomp Explained

seccomp (short for secure computing) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit, sigreturn, read and write to already-open file descriptors. Should it attempt any other system calls, the kernel will either just log the event or terminate the process with SIGKILL or SIGSYS.^{[1] [2]} In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17^[3]) via the system call.^[4] seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl.^[5] In some kernel versions, seccomp disables the [[RDTSC]] x86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing.^[6]

seccomp-bpf is an extension to seccomp^[7] that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on ChromeOS and Linux.^[8] (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systrace—which seems to be no longer supported for Linux.)

Some consider seccomp comparable to OpenBSD pledge(2) and FreeBSD capsicum(4).

History

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.^[9]

Software using seccomp or seccomp-bpf

• Android uses a seccomp-bpf filter in the zygote since Android 8.0 Oreo.^[10]
• systemd's sandboxing options are based on seccomp.^[11]
• QEMU, the Quick Emulator, the core component to the modern virtualization together with KVM uses seccomp on the parameter --sandbox^[12]
• Docker – software that allows applications to run inside of isolated containers. Docker can associate a seccomp profile with the container using the --security-opt parameter.
• Arcangeli's CPUShare was the only known user of seccomp for a while.^[13] Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone.^[14] However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser.^{[15] [16]}
• Firejail is an open source Linux sandbox program that utilizes Linux namespaces, Seccomp, and other kernel-level security features to sandbox Linux and Wine applications.^[17]
• As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player.^[18]
• As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.^[19]
• Snap specify the shape of their application sandbox using "interfaces" which snapd translates to seccomp, AppArmor and other security constructs^[20]
• vsftpd uses seccomp-bpf sandboxing as of version 3.0.0.^[21]
• OpenSSH has supported seccomp-bpf since version 6.0.^[22]
• Mbox uses ptrace along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone.^[23]
• LXD, a Ubuntu "hypervisor" for containers^{[24] [25]}
• Firefox and Firefox OS, which use seccomp-bpf^{[26] [27]}
• Tor supports seccomp since 0.2.5.1-alpha^[28]
• Lepton, a JPEG compression tool developed by Dropbox uses seccomp^[29]
• Kafel is a configuration language, which converts readable policies into seccompb-bpf bytecode^[30]
• Subgraph OS uses seccomp-bpf^{[31] [32]}
• Flatpak uses seccomp for process isolation^[33]
• Bubblewrap is a lightweight sandbox application developed from Flatpak^[34]
• minijail^[35] uses seccomp for process isolation^[36]
• SydBox uses seccomp-bpf^[37] to improve the runtime and security of the ptrace sandboxing used to sandbox package builds on Exherbo Linux distribution.
• File, a Unix program to determine filetypes, uses seccomp to restrict its runtime environment^[38]
• Zathura, a minimalistic document viewer, uses seccomp filter to implement different sandbox modes^[39]
• Tracker, a indexing and preview application for the GNOME desktop environment, uses seccomp to prevent automatic exploitation of parsing vulnerabilities in media files^[40]

External links

• Official website (Archived)
• Google's Chromium sandbox, LWN.net, August 2009, by Jake Edge
• seccomp-nurse, a sandboxing framework based on seccomp
• Documentation/prctl/seccomp_filter.txt, part of the Linux kernel documentation
• Security In-Depth for Linux Software: Preventing and Mitigating Security Bugs

Notes and References

1. Web site: A seccomp overview . 2017-10-05 . Corbet . Jonathan . 2015-09-02 . lwn.
2. Web site: Documentation/prctl/seccomp_filter.txt . 2017-10-05 .
3. Web site: Linux kernel 3.17, Section 11. Security . 2013-10-05 . 2015-03-31 . kernelnewbies.org.
4. Web site: seccomp: add "seccomp" syscall . kernel/git/torvalds/linux.git - Linux kernel source tree . . 2014-06-25 . 2014-08-22.
5. Web site: [PATCH 1 of 2] move seccomp from /proc to a prctl ]. 2013-08-02 . Arcangeli . Andrea . 2007-06-14.
6. Web site: Time-stamp counter disabling oddities in the Linux kernel . 2013-08-02 . Tinnes . Julien . 2009-05-28 . cr0 blog.
7. Web site: Yet another new approach to seccomp . 2013-08-02 . Corbet . Jonathan . 2012-01-11 . lwn.
8. Web site: A safer playground for your Linux and Chrome OS renderers . 2013-08-02 . Tinnes . Julien . 2012-11-19 . The Chromium Blog.
9. Web site: [PATCH] seccomp: secure computing support ]. https://archive.today/20130415050745/http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=d949d0ec9c601f2b148bed3cdb5f87c052968554 . dead . 2013-04-15 . 2013-08-02 . 2005-03-08 . Linux kernel history . Kernel.org git repositories .
10. Web site: Seccomp filter in Android O. Android Developers Blog.
11. Web site: systemd.exec — Execution environment configuration. freedesktop.org. 2017-10-14.
12. Web site: QEMU Sandboxing new model pull request. Otubo. Eduardo. 2017-09-15. qemu-devel mailing list archive.
13. Web site: Re: [stable] [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole ]. 2013-08-02 . van de Ven . Arjan . 2009-02-28 . Linux Kernel Mailing List.
14. Web site: Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole ]. 2013-08-02 . Torvalds . Linus . 2009-02-28 . Linux Kernel Mailing List.
15. Web site: Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole ]. 2013-08-02 . Gutschke . Markus . 2009-05-06.
16. Web site: Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole ]. 2013-08-02 . Gutschke . Markus . 2009-05-06 . Linux Kernel Mailing List.
17. Web site: Firejail. Firejail. en-US. 2016-11-26.
18. Web site: Chrome 20 on Linux and Flash sandboxing . 2013-08-02 . Evans . Chris . 2012-07-04.
19. Web site: Introducing Chrome's next-generation Linux sandbox . 2013-08-02 . Tinnes . Julien . 2012-09-06 . cr0 blog.
20. Web site: Snap security policy . 2017-02-03 . dead . https://web.archive.org/web/20170204012221/https://developer.ubuntu.com/en/snappy/guides/security/ . 2017-02-04 .
21. Web site: vsftpd-3.0.0 and seccomp filter sandboxing is here! . 2013-08-02 . Evans . Chris . 2012-04-09.
22. Web site: Openssh 6.0 release notes . 2013-10-14.
23. Web site: MBOX . 2014-05-20.
24. Web site: LXD an "hypervisor" for containers (based on liblxc) . 4 November 2014 . 2014-11-08.
25. Web site: Where We're Going With LXD . 2014-11-08.
26. Web site: Firefox Seccomp sandbox . 2015-01-13 . Destuynder . Guillaume . 2012-09-13 . Mozilla Bugzilla.
27. Web site: Firefox Seccomp sandbox . 2015-01-13 . Destuynder . Guillaume . 2012-09-13 . Mozilla Wiki.
28. Web site: Tor ChangeLog.
29. Web site: Lepton image compression: saving 22% losslessly from images at 15MB/s. Dropbox Tech Blog. 2016-07-15.
30. Web site: Kafel: A language and library for specifying syscall filtering policies.
31. Web site: Subgraph OS. Subgraph. 2016-12-18.
32. Web site: LoganCIJ16: Future of OS. https://ghostarchive.org/varchive/youtube/20211221/Nol8kKoB-co . 2021-12-21 . live. YouTube. 2016-12-18.
33. Web site: The flatpak security model – part 1: The basics . 2017-01-21.
34. Web site: bubblewrap . 2018-04-14.
35. Web site: Chromium OS Sandboxing - the Chromium Projects.
36. Web site: Minijail [LWN.net]]. lwn.net. 2017-04-11.
37. Web site: core/trace/use_seccomp. 2021-05-31. dev.exherbo.org.
38. Web site: File application Sandboxing. .
39. Web site: Zathura seccomp implementation.
40. Web site: Gnome tracker seccomp implementation.