Lukas' Notes

Seccomp

May 10, 20261 min read

Definition
Modes
Abstraction

operating-systems security

Definition

Seccomp

Seccomp is a Linux kernel mechanism that allows a process to make a one-way transition into a restricted state where it may invoke only explicitly allowed system calls.

Modes

Strict mode

In strict mode the process may use only four system calls: read, write, exit, and sigreturn. Any other system call terminates the process.

Filter mode

In filter mode the allowed system calls are defined by a BPF program. The filter returns an action for each system call, for example:

SECCOMP_RET_KILL_PROCESS — terminate the process;

SECCOMP_RET_ERRNO — fail the call with a specified error number;

SECCOMP_RET_ALLOW — allow the call to proceed.

Abstraction

Higher-level interfaces

libseccomp provides a conventional function-call interface for building filters. Container runtimes such as Docker and Kubernetes allow allowed syscalls and fallback actions to be declared in a JSON profile.

Backlinks

192.019 Introduction to Security
Berkeley Packet Filter

Created with Quartz v4.5.2 © 2026

GitHub