2

From this answer I understand that seccomp-bpf filters the list of syscalls a process can call. Similarly, the capabilites mechanism will cause a syscall to fail if the caller does not have the capability necessary for that syscall.

What I want to understand if there are scenarios in which one mechanism is more powerful than the other.

In other words: Given a process running with a minimal set of capabilites, is there any additional protection a good seccomp profile can provide?

inorik
  • 197
  • 5

1 Answers1

4

Seccomp and capabilites serve different purposes, for starters. Capabilities are used to add slices of root privilege to an otherwise unprivileged process. By contrast, seccomp removes the ability to perform certain functions by taking away normally-available syscalls.

You don't need special privileges to perform syscalls normally, as syscalls are the mechanism through which an unprivileged user program can open files, network sockets, devices etc. There are many use cases for seccomp; perhaps you want to sandbox your program from the filesystem or the network. Or perhaps you simply want to lower the attack surface for privilege escalation by disabling unneeded syscalls.

multithr3at3d
  • 12,529
  • 3
  • 31
  • 43