Confirmed users
502
edits
Security/Sandbox/Seccomp: Difference between revisions
→Intro to seccomp and seccomp-bpf
Gdestuynder (talk | contribs) No edit summary |
Gdestuynder (talk | contribs) |
||
| Line 8: | Line 8: | ||
Seccomp-bpf is a more recent extension to seccomp, which adds the support for [http://en.wikipedia.org/wiki/Berkeley_Packet_Filter BPF (Berkely Packet Filter)] filters. | Seccomp-bpf is a more recent extension to seccomp, which adds the support for [http://en.wikipedia.org/wiki/Berkeley_Packet_Filter BPF (Berkely Packet Filter)] filters. | ||
These filter allow for a more configurable list of system calls that are allowed or denied within the sandbox. Seccomp-bpf is available since Linux version 3.5 and is useable on ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions. | These filter allow for a more configurable list of system calls that are allowed or denied within the sandbox. Seccomp-bpf is available since Linux version 3.5 and is useable on ARM architecture since Linux version 3.10. Several backports are available for earlier kernel versions. | ||
We have backports for 3.0.x kernels, 3.4 kernels, and 2.6.29 kernels (see bug 790923 and it's children). No backport is necessary for kernels 3.10 and above. | |||
''CONFIG_SECCOMP=y'' and ''CONFIG_SECCOMP_FILTER=y'' are needed in the kernel's config at compile time. | |||
=== How do I call seccomp-bpf ? === | === How do I call seccomp-bpf ? === | ||