Skip to main content

Linux Security: seccomp, and its usage in Android and Docker

seccomp is short for SECure COMPuting. It sounds like a quite broad techniques but actually its scope is quite narrow, but effective. Simply put, it is a default deny white-list firewall used by kernel to restricting what syscalls a process can make.
seccomp is widely used lots of popular systems to sandbox the processes and/to reduce the kernel attacking surface, notably Chromium, Android and Docker.

How it works

We mentioned previously seccomp fundamentally is a white-list that kernel will check again for each process where a particular process are allowed to call a certain system call.
Technically, the white-list is written using Berkeley Packet Filter (BPF) rules, which will then be passed to seccomp system call.
Writing the rules using BPF and isn't intuitively for most programmers, so there are different wrappers making it more user friendly. Android use minijail, which is actually come from Chromium. Docker has golang wrapper, where you can write the profile in json format.
We'll see how they are used in practice.

seccomp in Android

Each process or service will have a seccomp policy defined by Android. minijail is the helper library used to parse the policy file and pass it to the kernel.
Below we'll see in detail how seccomp is used for mediaextractor service. Let's jump directly to the code:
static const char kSeccompFilePath[] = 
int MiniJail()
    struct minijail *jail = minijail_new();
    minijail_parse_seccomp_filters(jail, kSeccompFilePath);
    return 0;
It is quite straightforward, thanks to the very self explanatory function name and the great analogy (minijail) used here.
We first create a minijail, parse policy (converting into the BPF filter), and finally enter the jail (calling seccomp system call) (so called enter the jail).
A peek of format/content of the mediaextractor-seccomp.policy makes things clearer - it lists all the syscalls that are allowed in the target process.
ioctl: 1
futex: 1
prctl: 1
write: 1
getpriority: 1
mmap2: 1
close: 1
10munmap: 1
dupe: 1
mprotect: 1
getuid32: 1
setpriority: 1

seccomp in Docker

seccomp was introduced to Docker after v1.0. A seccomp profile can be specified at docker run time using -security-opt seccomp=.jsonparameters, when docker create or docker create.
docker run -it --rm --security-opt seccomp=.json alpine sh ...
If no seccomp profile is not specified, a default profile will be used. With the default profile, 40+ system calls out of 300+ are disabled to ensure a moderate protection. The secure profile is in JSON format, which will be converted to the BPF filter by Docker daemon, and then apply to the created process/container.
The applications packaged in the Docker can only allowed to call the system calls listed in the seccomp profile you specified, giving you more power to control the security aspect of the container.


In this article, we discussed what is seccomp and how it used by Android and Docker to build a securer system.

Popular posts from this blog

Android Camera2 API Explained

Compared with the old camera API, the Camera2 API introduced in the L is a lot more complex: more than ten classes are involved, calls (almost always) are asynchronized, plus lots of capture controls and meta data that you feel confused about.

No worries. Let me help you out. Whenever facing a complex system need a little bit effort to understand, I usually turns to the UML class diagram to capture the big picture.

So, here is the class diagram for Camera2 API.

You are encouraged to read this Android document first and then come back to this article, with your questions. I'll expand what is said there, and list the typical steps of using camera2 API. 

1. Start from CameraManager. We use it to iterate all the cameras that are available in the system, each with a designated cameraId. Using the cameraId, we can get the properties of the specified camera device. Those properties are represented by class CameraCharacteristics. Things like "is it front or back camera", "outpu…

Java Collections Framework Cheat Sheet

Java Collections Framework (JCF) implements the Abstract Data Type  for Java platform. Every serious Java programmer should familiar himself on this topic and be able to choose the right class for specific need.  A thorough introduction to JCF is not the target of this small article and to achieve that goal you can start with this excellent tutorial . 

Instead, I'd like to
1) Provide an overview of JCF's classes ,   2) Provide a cheat sheet you can post in your cubicel for daily reference, 3) Underline the relationship between JCF's implementation and the data structure and algorithm you learned in your undergraduate course

With these goals in mind, I came up following diagram - Java Collection Cheat Sheet. You can click it to zoom in. There is no necessity for more explanation once your familiar with UML class diagram and have a basic understanding of common data structures.

Android Security: An Overview Of Application Sandbox

The Problem: Define a policy to control how various clients can access different resources. A solution: Each resource has an owner and belongs to a group.Each client has an owner but can belongs to multiple groups.Each resource has a mode stating the access permissions allowed for its owner, group members and others, respectively. In the context of operating system, or Linux specifically, the resources can be files, sockets, etc; the clients are actually processes; and we have three access permissions:read, write and execute.