Home

seccompbpf

Seccomp-bpf, short for seccomp with Berkeley Packet Filter, is a Linux kernel feature that enables fine-grained sandboxing of a process by filtering system calls using a BPF program. It extends the original seccomp mechanism by allowing custom policies that inspect a syscall number and its arguments, enabling allow, deny, or trap actions. When a process is in seccomp-bpf mode, each attempted system call is evaluated by the loaded BPF program, and execution proceeds or is limited according to the policy.

Implementation and policy are centered on entering seccomp-bpf mode with a BPF program loaded into the kernel.

Applications and usage: Seccomp-bpf is widely used to isolate processes in container environments. Container runtimes such

Limitations and considerations: The effectiveness of seccomp-bpf depends on the correctness and completeness of the policy;

The
BPF
program
is
evaluated
on
each
syscall;
common
actions
include
allowing
a
call,
killing
the
process,
or
triggering
a
trap
for
a
tracer.
The
libseccomp
library
provides
a
user-space
API
to
build
and
load
filters
without
writing
raw
BPF
code.
Policies
can
be
written
to
permit
only
the
necessary
syscalls
and
deny
or
trap
the
rest,
or
to
conditionally
allow
syscalls
based
on
their
arguments
or
the
calling
context.
as
Docker
and
Kubernetes
apply
default
profiles
that
restrict
a
broad
set
of
syscalls
while
permitting
those
required
by
the
workload.
Custom
profiles
can
be
tailored
to
specific
applications
or
deployment
scenarios,
and
seccomp-bpf
can
be
combined
with
other
isolation
mechanisms
like
user
namespaces
for
defense
in
depth.
misconfigurations
can
either
break
functionality
or
weaken
security.
It
is
not
a
substitute
for
other
containment
measures
and
may
not
prevent
all
kernel
exploits.
Kernel
support
for
seccomp-bpf
is
required,
and
compatibility
may
vary
with
older
kernel
versions.