Seccomp
Encyclopedia
seccomp is a simple sandboxing
mechanism for the Linux
kernel.
It allows a process
to make a one-way transition into a "secure" state where it cannot make any system call
s except exit, sigreturn, read and write to already-open file descriptor
s. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL
.
In this sense, it does not virtualize
the system's resources but isolates the process from them entirely.
seccomp mode is enabled via the prctl system call using the PR_SET_SECCOMP argument. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favour of prctl.
In some kernel versions, seccomp disables the RDTSC
instruction.
and was originally intended as a means of safely running untrusted compute-bound programs.
Arcangeli's CPUShare was the only known user of this feature. Writing in February 2009, Linus Torvalds
expresses doubt whether seccomp is actually used by anyone. However, a Google engineer replied that Google is exploring using seccomp for sandbox
ing its Chrome
web browser.
Sandbox (computer security)
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
mechanism for the Linux
Linux
Linux is a Unix-like computer operating system assembled under the model of free and open source software development and distribution. The defining component of any Linux system is the Linux kernel, an operating system kernel first released October 5, 1991 by Linus Torvalds...
kernel.
It allows a process
Process (computing)
In computing, a process is an instance of a computer program that is being executed. It contains the program code and its current activity. Depending on the operating system , a process may be made up of multiple threads of execution that execute instructions concurrently.A computer program is a...
to make a one-way transition into a "secure" state where it cannot make any system call
System call
In computing, a system call is how a program requests a service from an operating system's kernel. This may include hardware related services , creating and executing new processes, and communicating with integral kernel services...
s except exit, sigreturn, read and write to already-open file descriptor
File descriptor
In computer programming, a file descriptor is an abstract indicator for accessing a file. The term is generally used in POSIX operating systems...
s. Should it attempt any other system calls, the kernel will terminate the process with SIGKILL
SIGKILL
On POSIX-compliant platforms, SIGKILL is the signal sent to a process to cause it to terminate immediately. The symbolic constant for SIGKILL is defined in the header file signal.h. Symbolic signal names are used because signal numbers can vary across platforms, however on the vast majority of...
.
In this sense, it does not virtualize
Virtual machine
A virtual machine is a "completely isolated guest operating system installation within a normal host operating system". Modern virtual machines are implemented with either software emulation or hardware virtualization or both together.-VM Definitions:A virtual machine is a software...
the system's resources but isolates the process from them entirely.
seccomp mode is enabled via the prctl system call using the PR_SET_SECCOMP argument. seccomp mode used to be enabled by writing to a file, /proc/self/seccomp, but this method was removed in favour of prctl.
In some kernel versions, seccomp disables the RDTSC
Time Stamp Counter
The Time Stamp Counter is a 64-bit register present on all x86 processors since the Pentium. It counts the number of ticks since reset. The instruction "RDTSC" returns the TSC in EDX:EAX. In x86_64 mode, RDTSC also clears the higher 32 bits of RAX. Its opcode is 0F 31. Pentium competitors such as...
instruction.
Uses
seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computingGrid computing
Grid computing is a term referring to the combination of computer resources from multiple administrative domains to reach a common goal. The grid can be thought of as a distributed system with non-interactive workloads that involve a large number of files...
and was originally intended as a means of safely running untrusted compute-bound programs.
Arcangeli's CPUShare was the only known user of this feature. Writing in February 2009, Linus Torvalds
Linus Torvalds
Linus Benedict Torvalds is a Finnish software engineer and hacker, best known for having initiated the development of the open source Linux kernel. He later became the chief architect of the Linux kernel, and now acts as the project's coordinator...
expresses doubt whether seccomp is actually used by anyone. However, a Google engineer replied that Google is exploring using seccomp for sandbox
Sandbox (computer security)
In computer security, a sandbox is a security mechanism for separating running programs. It is often used to execute untested code, or untrusted programs from unverified third-parties, suppliers, untrusted users and untrusted websites....
ing its Chrome
Google Chrome
Google Chrome is a web browser developed by Google that uses the WebKit layout engine. It was first released as a beta version for Microsoft Windows on September 2, 2008, and the public stable release was on December 11, 2008. The name is derived from the graphical user interface frame, or...
web browser.
External links
- http://code.google.com/p/seccompsandbox/wiki/overview
- LWN article: Google's Chromium sandbox, Jake Edge, August 2009
- seccomp-nurse, a sandboxing framework based on seccomp.