Cook: seccomp filter now in Ubuntu

On his blog, Kees Cook reports that the Ubuntu kernel for 12.04 has added the seccomp filters feature that uses the packet filtering machinery (BPF) to restrict access to system calls. He also notes that the feature will be added to the Chrome OS kernel soon. "One of the questions I’ve been asked by several people while they developed policy for earlier “mode 2″ seccomp implementations was “How do I figure out which syscalls my program is going to need?” To help answer this question, and to show a simple use of seccomp filter, I’ve written up a little tutorial that walks through several steps of building a seccomp filter. It includes a header file (“seccomp-bpf.h“) for implementing the filter, and a collection of other files used to assist in syscall discovery. It should be portable, so it can build even on systems that do not have seccomp available yet. [...] Read more in the seccomp filter tutorial."

Comments (41 posted)