seccomp
Last updated
Last updated
Unlike chroot, seccomp allows developers to write complex rules to:
whitelist certain syscalls.
blacklsit certain syscalls.
whitelist/blacklist syscalls based on argument variables.
seccomp rules are inherited by children processes!
To learn more about seccomp, you can read the documentation. Here we learn how it works through an example.
seccomp uses the kernel functionality eBPF (extended Berkeley Packet Filter). eBPFs are programs that run in an in-kernel, "provably-safe" virtual machine. It is used with seccomp()
to apply syscall filters to processes.
My comment:
Interestingly enough, ZDI recently published a blog post on CVE-2021-31440, which is a bug that bypassed the eBPF verification and resulted in an out-of-bounds (OOB) access in the Linux kernel. You can read more about it here: