In association with heise online

18 July 2012, 09:23

Systemd: Sandbox for background services

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

Freedesktop logo Systemd developer Lennart Poettering has extended the init system for Linux to include seccomp (Secure Computing Mode) support. Seccomp is a security extension in the Linux kernel that restricts the system calls a process can make – placing the process into a sandbox. Google uses seccomp to run the Flash plugin in a secure environment in the 64-bit version of the Chrome web browser for Linux.

On Google+, Poettering writes that, when defining a background service that is to be launched when booting, the permitted system calls can simply be listed after the SystemCallFilter keyword. If a service that has been restricted in this way attempts to make an unauthorised system call, it will be terminated by the kernel. Seccomp requires version 3.5 of Linux, which is expected to arrive in the next few days.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit