1SECCOMP(2)                 Linux Programmer's Manual                SECCOMP(2)
2
3
4

NAME

6       seccomp - operate on Secure Computing state of the process
7

SYNOPSIS

9       #include <linux/seccomp.h>  /* Definition of SECCOMP_* constants */
10       #include <linux/filter.h>   /* Definition of struct sock_fprog */
11       #include <linux/audit.h>    /* Definition of AUDIT_* constants */
12       #include <linux/signal.h>   /* Definition of SIG* constants */
13       #include <sys/ptrace.h>     /* Definition of PTRACE_* constants */
14       #include <sys/syscall.h>    /* Definition of SYS_* constants */
15       #include <unistd.h>
16
17       int syscall(SYS_seccomp, unsigned int operation, unsigned int flags,
18                   void *args);
19
20       Note: glibc provides no wrapper for seccomp(), necessitating the use of
21       syscall(2).
22

DESCRIPTION

24       The seccomp() system call operates on the  Secure  Computing  (seccomp)
25       state of the calling process.
26
27       Currently, Linux supports the following operation values:
28
29       SECCOMP_SET_MODE_STRICT
30              The  only  system  calls that the calling thread is permitted to
31              make are read(2), write(2), _exit(2)  (but  not  exit_group(2)),
32              and  sigreturn(2).  Other system calls result in the delivery of
33              a SIGKILL signal.  Strict secure computing mode  is  useful  for
34              number-crunching applications that may need to execute untrusted
35              byte code, perhaps obtained by reading from a pipe or socket.
36
37              Note that although the calling thread can no  longer  call  sig‐
38              procmask(2),  it can use sigreturn(2) to block all signals apart
39              from SIGKILL and SIGSTOP.  This means that alarm(2)  (for  exam‐
40              ple)  is  not sufficient for restricting the process's execution
41              time.  Instead, to reliably terminate the process, SIGKILL  must
42              be  used.   This  can  be  done  by  using  timer_create(2) with
43              SIGEV_SIGNAL and sigev_signo set to SIGKILL, or by  using  setr‐
44              limit(2) to set the hard limit for RLIMIT_CPU.
45
46              This  operation  is  available  only if the kernel is configured
47              with CONFIG_SECCOMP enabled.
48
49              The value of flags must be 0, and args must be NULL.
50
51              This operation is functionally identical to the call:
52
53                  prctl(PR_SET_SECCOMP, SECCOMP_MODE_STRICT);
54
55       SECCOMP_SET_MODE_FILTER
56              The system calls allowed are defined by a pointer to a  Berkeley
57              Packet Filter (BPF) passed via args.  This argument is a pointer
58              to a struct sock_fprog; it can be designed to  filter  arbitrary
59              system  calls  and  system call arguments.  If the filter is in‐
60              valid, seccomp() fails, returning EINVAL in errno.
61
62              If fork