seccomp

seccomp (short for secure computing mode) is a simple sandboxing mechanism for the Linux kernel.

It allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL.

In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the prctl() system call using the PR_SET_SECCOMP argument. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favour of prctl().^[1]

In some kernel versions, seccomp disables the RDTSC instruction.^[2]

Uses

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs.

Arcangeli's CPUShare^{[dead link]} was the only known user of this feature^[3]. Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone^[4]. However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser^[5].

References

1. linux-kernel post: "move seccomp from /proc to a prctl", June 2007
2. cr0 blog: Time-stamp counter disabling oddities in the Linux kernel, May 2009
3. http://lkml.org/lkml/2009/2/28/141
4. http://lkml.org/lkml/2009/2/28/129
5. http://article.gmane.org/gmane.linux.ports.sparc/11622

External links

• http://code.google.com/p/seccompsandbox/wiki/overview
• LWN article: Google's Chromium sandbox, Jake Edge, August 2009
• seccomp-nurse, a sandboxing framework based on seccomp.