← Lessons

quiz vs the machine

Platinum1640

Security

Restricting Syscalls With Seccomp

Shrinking a process attack surface by allowing only the syscalls it needs.

5 min read · advanced · beat Platinum to climb

Narrowing The Kernel Surface

Seccomp lets a process restrict which system calls it may make to the kernel. Since syscalls are how code reaches privileged operations, allowing only the ones a program actually needs shrinks the surface an attacker can abuse after a compromise.

How It Works

  • The process installs a filter that lists permitted syscalls.
  • A disallowed call is blocked, returning an error or killing the process.
  • A tight profile means even arbitrary code execution cannot reach dangerous calls.

Using It Well

  • Start from a default deny profile and allow only the syscalls observed in testing.
  • Apply it to containers and sandboxes to confine workloads.
  • Pair with other isolation so a single bypass is not catastrophic.

Key idea

Seccomp confines a process to a minimal set of syscalls, so a default deny profile keeps even compromised code from reaching dangerous kernel operations.

Check yourself

Answer to earn rating on the learn ladder.

1. What does seccomp restrict?

2. What profile approach is recommended?