Contents
What is seccomp filter?
Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The filter is expressed as a Berkeley Packet Filter (BPF) program, as with socket filters, except that the data operated on is related to the system call being made: system call number and the system call arguments.
What is Linux BPF?
The newest tool for observing the Linux operating system is the “Berkeley Packet Filter” (BPF). BPF allows users to run a small piece of code quickly and safely inside the operating system. For example, it is possible to write a small BPF program that prints every time a particular file was accessed by a user.
What is a Seccomp profile?
Secure computing mode ( seccomp ) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application’s access.
Does Docker use seccomp?
seccomp is instrumental for running Docker containers with least privilege. It is not recommended to change the default seccomp profile.
Why is BPF used?
BPF allows users to run a small piece of code quickly and safely inside the operating system. Originally used for packet filtering, it has since been enhanced from its eponymous use-case to support dynamic tracing of the Linux operating system.
What is eBPF in Linux?
Extended Berkeley Packet Filter (eBPF) is a kernel technology (starting in Linux 4. x) that allows programs to run without having to change the kernel source code or adding additional modules.
What can seccomp-bpf be used for?
Seccomp-BPF is a more recent extension to seccomp, which allows filtering system calls with BPF (Berkeley Packet Filter) programs. These filters can be used to allow or deny an arbitrary set of system calls, as well as filter on system call arguments (numeric values only; pointer arguments can’t be dereferenced).
What does the seccomp filter return in Linux?
In decreasing order of precedence, the action values that may be returned by a seccomp filter are: SECCOMP_RET_KILL_PROCESS (since Linux 4.14) This value results in immediate termination of the process, with a core dump. The system call is not executed.
Where to find seccomp-bpf sandbox.cpp file?
Sandbox.cpp: the code that starts the sandbox and handles violations The policy is compiled into a seccomp-bpf program using the Chromium code imported in security/sandbox/chromium/sandbox/linux. Files of interest in that subtree:
How does seccomp work in a secure environment?
When enabling seccomp, the process enters a “secure mode” where a very small number of system calls are available (exit (), read (), write (), sigreturn ()). Writing code to work in this environment is difficult; for example, dynamic memory allocation (using brk () or mmap (), either directly or to implement malloc ()) is not possible.