Login
Login

seccomp

{{Short description|Sandbox facility for Linux kernel}}

{{Update|date=May 2012}}

{{Lowercase title}}

{{Infobox software

| name = seccomp

| title = seccomp

| logo =

| logo caption =

| logo_size =

| logo_alt =

| screenshot =

| caption =

| screenshot_size =

| screenshot_alt =

| collapsible =

| author = Andrea Arcangeli

| developer =

| released = {{Start date and age|2005|03|08}}

| discontinued =

| latest release version =

| latest release date =

| latest preview version =

| latest preview date =

| programming language = C

| operating system = Linux

| platform =

| size =

| language =

| language count =

| language footnote =

| genre = Sandboxing

| license = GNU General Public License

| website = {{URL|https://code.google.com/archive/p/seccompsandbox/wikis/overview.wiki}}

}}

seccomp (short for secure computing{{man|2|seccomp|Linux|"The seccomp() system call operates on the Secure Computing (seccomp) state"}}) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), sigreturn(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will either just log the event or terminate the process with SIGKILL or SIGSYS.{{cite web | url = https://lwn.net/Articles/656307/ | title = A seccomp overview | access-date = 2017-10-05 | last = Corbet | first = Jonathan | date = 2015-09-02 | work = lwn}}{{cite web | url = https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt | title = Documentation/prctl/seccomp_filter.txt | access-date = 2017-10-05 }} In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp mode is enabled via the {{man|2|prctl|Linux||inline}} system call using the PR_SET_SECCOMP argument, or (since Linux kernel 3.17{{cite web

| url = http://kernelnewbies.org/Linux_3.17#head-6fd84937bbba3b384979760008858881c99e4a53

| title = Linux kernel 3.17, Section 11. Security

| date = 2013-10-05 | access-date = 2015-03-31

| website = kernelnewbies.org

}}) via the {{man|2|seccomp|Linux||inline}} system call.{{cite web |url=https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=48dc92b9fc3926844257316e75ba11eb5c742b2c |title=seccomp: add "seccomp" syscall |work=kernel/git/torvalds/linux.git - Linux kernel source tree |publisher=kernel.org |date=2014-06-25 |access-date=2014-08-22}} seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favor of prctl().{{cite web | url = http://lkml.indiana.edu/hypermail/linux/kernel/0706.1/2525.html | title = [PATCH 1 of 2] move seccomp from /proc to a prctl | access-date = 2013-08-02 | last = Arcangeli | first = Andrea | date = 2007-06-14}} In some kernel versions, seccomp disables the RDTSC x86 instruction, which returns the number of elapsed processor cycles since power-on, used for high-precision timing.{{cite web | url = http://blog.cr0.org/2009/05/time-stamp-counter-disabling-oddities.html | title = Time-stamp counter disabling oddities in the Linux kernel | access-date = 2013-08-02 | last = Tinnes | first = Julien | date = 2009-05-28 | work = cr0 blog}}

seccomp-bpf is an extension to seccomp{{cite web | url = https://lwn.net/Articles/475043/ | title = Yet another new approach to seccomp | access-date = 2013-08-02 | last = Corbet | first = Jonathan | date = 2012-01-11 | work = lwn}} that allows filtering of system calls using a configurable policy implemented using Berkeley Packet Filter rules. It is used by OpenSSH and vsftpd as well as the Google Chrome/Chromium web browsers on ChromeOS and Linux.{{cite web | url = https://blog.chromium.org/2012/11/a-safer-playground-for-your-linux-and.html | title = A safer playground for your Linux and Chrome OS renderers | access-date = 2013-08-02 | last = Tinnes | first = Julien | date = 2012-11-19 | work = The Chromium Blog}} (In this regard seccomp-bpf achieves similar functionality, but with more flexibility and higher performance, to the older systrace—which seems to be no longer supported for Linux.)

Some consider seccomp comparable to OpenBSD pledge(2) and FreeBSD capsicum(4){{Citation needed|date=November 2022}}.

History

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs. It was merged into the Linux kernel mainline in kernel version 2.6.12, which was released on March 8, 2005.{{cite web | url = https://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=d949d0ec9c601f2b148bed3cdb5f87c052968554 | archive-url = https://archive.today/20130415050745/http://git.kernel.org/?p=linux/kernel/git/tglx/history.git;a=commit;h=d949d0ec9c601f2b148bed3cdb5f87c052968554 | url-status = dead | archive-date = 2013-04-15 | title = [PATCH] seccomp: secure computing support | access-date = 2013-08-02 | date = 2005-03-08 | work = Linux kernel history | publisher = Kernel.org git repositories }}

Software using seccomp or seccomp-bpf

  • Android uses a seccomp-bpf filter in the zygote since Android 8.0 Oreo.{{Cite web|url=https://android-developers.googleblog.com/2017/07/seccomp-filter-in-android-o.html|title=Seccomp filter in Android O|website=Android Developers Blog}}
  • systemd's sandboxing options are based on seccomp.{{Cite web|url=https://www.freedesktop.org/software/systemd/man/systemd.exec.html|title=systemd.exec — Execution environment configuration|website=freedesktop.org|access-date=2017-10-14}}
  • QEMU, the Quick Emulator, the core component to the modern virtualization together with KVM uses seccomp on the parameter --sandbox{{Cite web|url=https://lists.gnu.org/archive/html/qemu-devel/2017-09/msg04072.html|title=QEMU Sandboxing new model pull request|last=Otubo|first=Eduardo|date=2017-09-15|website=qemu-devel mailing list archive}}
  • Docker – software that allows applications to run inside of isolated containers. Docker can associate a seccomp profile with the container using the --security-opt parameter.
  • Arcangeli's CPUShare was the only known user of seccomp for a while.{{cite web | url = https://lkml.org/lkml/2009/2/28/141 | title = Re: [stable] [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole | access-date = 2013-08-02 | last = van de Ven | first = Arjan | date = 2009-02-28 | work = Linux Kernel Mailing List}} Writing in February 2009, Linus Torvalds expresses doubt whether seccomp is actually used by anyone.{{cite web | url = https://lkml.org/lkml/2009/2/28/129 | title = Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole | access-date = 2013-08-02 | last = Torvalds | first = Linus | date = 2009-02-28 | work = Linux Kernel Mailing List}} However, a Google engineer replied that Google is exploring using seccomp for sandboxing its Chrome web browser.{{cite web | url = http://article.gmane.org/gmane.linux.ports.sparc/11622 | title = Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole | access-date = 2013-08-02 | last = Gutschke | first = Markus | date = 2009-05-06}}{{cite web | url = https://lkml.org/lkml/2009/5/6/365 | title = Re: [PATCH 2/2] x86-64: seccomp: fix 32/64 syscall hole | access-date = 2013-08-02 | last = Gutschke | first = Markus | date = 2009-05-06 | work = Linux Kernel Mailing List}}
  • Firejail is an open source Linux sandbox program that utilizes Linux namespaces, Seccomp, and other kernel-level security features to sandbox Linux and Wine applications.{{Cite web|url=https://firejail.wordpress.com/|title=Firejail|website=Firejail|language=en-US|access-date=2016-11-26}}
  • As of Chrome version 20, seccomp-bpf is used to sandbox Adobe Flash Player.{{cite web | url = http://scarybeastsecurity.blogspot.com/2012/07/chrome-20-on-linux-and-flash-sandboxing.html | title = Chrome 20 on Linux and Flash sandboxing | access-date = 2013-08-02 | last = Evans | first = Chris | date = 2012-07-04}}
  • As of Chrome version 23, seccomp-bpf is used to sandbox the renderers.{{cite web | url = http://blog.cr0.org/2012/09/introducing-chromes-next-generation.html | title = Introducing Chrome's next-generation Linux sandbox | access-date = 2013-08-02 | last = Tinnes | first = Julien | date = 2012-09-06 | work = cr0 blog}}
  • Snap specify the shape of their application sandbox using "interfaces" which snapd translates to seccomp, AppArmor and other security constructs{{cite web | url = https://developer.ubuntu.com/en/snappy/guides/security/ | title = Snap security policy | access-date = 2017-02-03 | url-status = dead | archive-url = https://web.archive.org/web/20170204012221/https://developer.ubuntu.com/en/snappy/guides/security/ | archive-date = 2017-02-04 }}
  • vsftpd uses seccomp-bpf sandboxing as of version 3.0.0.{{cite web | url = http://scarybeastsecurity.blogspot.de/2012/04/vsftpd-300-and-seccomp-filter.html | title = vsftpd-3.0.0 and seccomp filter sandboxing is here! | access-date = 2013-08-02 | last = Evans | first = Chris | date = 2012-04-09}}
  • OpenSSH has supported seccomp-bpf since version 6.0.{{cite web | url = https://www.openssh.com/txt/release-6.0 | title = Openssh 6.0 release notes | access-date = 2013-10-14}}
  • Mbox uses ptrace along with seccomp-bpf to create a secure sandbox with less overhead than ptrace alone.{{cite web | url = http://pdos.csail.mit.edu/mbox/ | title = MBOX | access-date = 2014-05-20}}
  • LXD, a Ubuntu "hypervisor" for containers{{cite web | url = https://lists.linuxcontainers.org/pipermail/lxc-devel/2014-November/010817.html | title = LXD an "hypervisor" for containers (based on liblxc) | date = 4 November 2014 | access-date = 2014-11-08}}{{cite web | url = http://blog.dustinkirkland.com/2014/11/where-were-going-with-lxd.html | title = Where We're Going With LXD | access-date = 2014-11-08}}
  • Firefox and Firefox OS, which use seccomp-bpf{{cite web | url = https://bugzilla.mozilla.org/show_bug.cgi?id=790923 | title = Firefox Seccomp sandbox | access-date = 2015-01-13 | last = Destuynder | first = Guillaume | date = 2012-09-13 | work = Mozilla Bugzilla}}{{cite web | url = https://wiki.mozilla.org/Security/Sandbox/Seccomp | title = Firefox Seccomp sandbox | access-date = 2015-01-13 | last = Destuynder | first = Guillaume | date = 2012-09-13 | work = Mozilla Wiki}}
  • Tor supports seccomp since 0.2.5.1-alpha{{cite web | url = https://gitweb.torproject.org/tor.git/plain/ChangeLog | title = Tor ChangeLog}}
  • Lepton, a JPEG compression tool developed by Dropbox uses seccomp{{Cite web|url=https://blogs.dropbox.com/tech/2016/07/lepton-image-compression-saving-22-losslessly-from-images-at-15mbs/|title=Lepton image compression: saving 22% losslessly from images at 15MB/s|website=Dropbox Tech Blog|access-date=2016-07-15}}
  • Kafel is a configuration language, which converts readable policies into seccompb-bpf bytecode{{Cite web|url=https://google.github.io/kafel/|title=Kafel: A language and library for specifying syscall filtering policies}}
  • Subgraph OS uses seccomp-bpf{{Cite web|url=https://subgraph.com/|title=Subgraph OS|website=Subgraph|access-date=2016-12-18}}{{Cite web|url=https://www.youtube.com/watch?v=Nol8kKoB-co&t=48m56s |archive-url=https://ghostarchive.org/varchive/youtube/20211221/Nol8kKoB-co |archive-date=2021-12-21 |url-status=live|title=LoganCIJ16: Future of OS|website=YouTube|access-date=2016-12-18}}{{cbignore}}
  • Flatpak uses seccomp for process isolation{{cite web | url = https://blogs.gnome.org/alexl/2017/01/18/the-flatpak-security-model-part-1-the-basics/ | title = The flatpak security model – part 1: The basics | access-date = 2017-01-21}}
  • Bubblewrap is a lightweight sandbox application developed from Flatpak{{cite web | url = https://wiki.archlinux.org/index.php/Bubblewrap| title = bubblewrap | access-date = 2018-04-14}}
  • minijail{{Cite web|url=https://www.chromium.org/chromium-os/developer-guide/chromium-os-sandboxing|title=Chromium OS Sandboxing - the Chromium Projects}} uses seccomp for process isolation{{Cite web|url=https://lwn.net/Articles/700557/|title=Minijail [LWN.net]|website=lwn.net|access-date=2017-04-11}}
  • SydBox uses seccomp-bpf{{Cite web|url=https://dev.exherbo.org/~alip/sydbox/sydbox.html|title=core/trace/use_seccomp|access-date=2021-05-31|website=dev.exherbo.org}} to improve the runtime and security of the ptrace sandboxing used to sandbox package builds on Exherbo Linux distribution.
  • File, a Unix program to determine filetypes, uses seccomp to restrict its runtime environment{{Cite web|url=https://github.com/file/file/blob/master/src/seccomp.c|title=File application Sandboxing|website=GitHub }}
  • Zathura, a minimalistic document viewer, uses seccomp filter to implement different sandbox modes{{Cite web|url=https://github.com/pwmt/zathura/blob/develop/zathura/seccomp-filters.c|title=Zathura seccomp implementation}}
  • Tracker, a indexing and preview application for the GNOME desktop environment, uses seccomp to prevent automatic exploitation of parsing vulnerabilities in media files{{Cite web|url=https://gitlab.gnome.org/GNOME/tracker-miners/-/blob/master/src/libtracker-miners-common/tracker-seccomp.c|title=Gnome tracker seccomp implementation}}

References

{{Reflist}}

External links

  • [https://code.google.com/archive/p/seccompsandbox/wikis/overview.wiki Official website (Archived)]
  • [https://lwn.net/Articles/347547/ Google's Chromium sandbox], LWN.net, August 2009, by Jake Edge
  • [https://web.archive.org/web/20110106145629/http://chdir.org/~nico/seccomp-nurse/ seccomp-nurse], a sandboxing framework based on seccomp
  • [https://www.kernel.org/doc/Documentation/prctl/seccomp_filter.txt Documentation/prctl/seccomp_filter.txt], part of the Linux kernel documentation
  • [https://www.cr0.org/paper/jt-ce-sid_linux.pdf Security In-Depth for Linux Software: Preventing and Mitigating Security Bugs]

{{Linux kernel}}

{{Linux}}

Category:Linux kernel features

Category:Computer security

Category:Cybersecurity engineering