Michael Kerrisk

Using Seccomp to Limit the Kernel Attack Surface

Seccomp (secure computing) is a means to limit the system calls a program may make to the Linux kernel. It can be used to select exactly which system calls are permitted (or denied) and to restrict the arguments that may be passed to those system calls. System call filtering is achieved by writing BPF programs--programs written for a small in-kernel virtual machine that is able to examine system call numbers and arguments.

In this session, I'll examine the BPF virtual machine and look at some illustrative examples of filter programs that restrict the set of permitted system calls. I'll also briefly mention some of the productivity aids available for writing BPF filters and consider some caveats regarding its use. The goal is to provide a solid understanding of a tool that has found use in a wide range of applications running on Linux, including Docker, LXC, various web browsers, systemd, Flatpak, and Firejail.

Michael Kerrisk


Michael Kerrisk is a trainer, author, and programmer who has a passion for investigating and explaining software systems. He is the author of "The Linux Programming Interface", a widely acclaimed book on Linux (and UNIX) system programming. He has been actively involved in the Linux development community since 2000, operating mainly in the area of testing, design review, and documentation of kernel-user-space interfaces. Since 2004, he has maintained the Linux "man-pages" project, which provides the primary documentation for Linux system calls and C library functions. Michael is a New Zealander, living in Munich, Germany, from where he operates a training business (man7.org) providing low-level Linux programming courses in Europe, North America, and occasionally further afield.

Michael's full speaker profile