Seccomp Bpf

Seccomp-BPF is an UnprivilegedSandboxing mechanism on Linux. It lets processes restrict which system calls they should be able to do.

In one sentence, SeccompBpf is a “packet filter for system call attempts”:

• A process installs a BPF program to filter system calls based on system call number and argument values.
• When the process does system calls after that, the BPF program is executed to check whether the system call should be permitted.

The policy applies also for newly spawned subprocesses.

The BPF variant used is the original BerkeleyPacketFilter bytecode, not the extended variant eBPF.

Compare: “The feasibility of pledge() on Linux”, which talks about the problems of using Seccomp-BPF.