Seccomp

Seccomp

seccomp is a simple sandboxing mechanism for the Linux kernel.

It allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit(), read() and write() to already-open file descriptors. Should it attempt any other system calls, the kernel will terminate the process.

In this sense, it does not virtualize the system's resources but isolates the process from them entirely.

seccomp was first devised by Andrea Arcangeli in January 2005 for use in public grid computing and was originally intended as a means of safely running untrusted compute-bound programs.

Arcangeli's [http://www.cpushare.com CPUShare] is the only service that makes use of this feature as of April 2006, and seccomp has been criticised ( [http://marc.theaimsgroup.com/?l=linux-kernel&m=114539842118897&w=2] Ingo Molnar's critique on linux-kernel mailing list) for being bound to a service (CPUShare) that is burdened with patents that aim to restrict the freedoms of grid computing service providers.


Wikimedia Foundation. 2010.

Игры ⚽ Нужна курсовая?

Look at other dictionaries:

  • Google Chrome — This article is about the web browser. For the operating system, see Google Chrome OS. Google Chrome …   Wikipedia

  • Comparison of operating systems — Usage share of web client operating systems. (Source: Median values from Usage share of operating systems for August 2011.)   Windows XP (35.21%) …   Wikipedia

  • Comparison of operating system kernels — A kernel is the core component of every computer operating system. While kernels are highly technical in nature, and may be hidden from the user under many layers of software and applications, they do have distinguishing or characteristic… …   Wikipedia

  • Chromium — Эта статья о браузере; об операционной системе см.: Chromium OS. Chromium …   Википедия

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”