- Seccomp
seccomp is a simple sandboxing mechanism for the
Linux kernel.It allows a process to make a one-way transition into a "secure" state where it cannot make any
system call s except exit(), read() and write() to already-openfile descriptor s. Should it attempt any other system calls, the kernel will terminate the process.In this sense, it does not virtualize the system's resources but isolates the process from them entirely.
seccomp was first devised by
Andrea Arcangeli in January 2005 for use in publicgrid computing and was originally intended as a means of safely running untrusted compute-bound programs.Arcangeli's [http://www.cpushare.com CPUShare] is the only service that makes use of this feature as of April 2006, and seccomp has been criticised ( [http://marc.theaimsgroup.com/?l=linux-kernel&m=114539842118897&w=2]
Ingo Molnar 's critique on linux-kernel mailing list) for being bound to a service (CPUShare) that is burdened withpatent s that aim to restrict the freedoms ofgrid computing service providers.
Wikimedia Foundation. 2010.
