Menu
Is there something like seccomp that works on Windows?
It should limit all syscalls to some very limited set, like only reading and writing to already opened files.
The one described as sandbox for Chromium does not look like Seccomp, as it is based on usual file permissions and Windows security objects, not on limiting access to syscalls.
666
seccomp (short for secure computing mode) is a computer security facility in the Linux kernel. seccomp allows a process to make a one-way transition into a "secure" state where it cannot make any system calls except exit() , sigreturn() , read() and write() to already-open file descriptors.
Seccomp filtering provides a means for a process to specify a filter for incoming system calls. The filter is expressed as a Berkeley Packet Filter (BPF) program, as with socket filters, except that the data operated on is related to the system call being made: system call number and the system call arguments.
Secure computing mode ( seccomp ) is a Linux kernel feature. You can use it to restrict the actions available within the container. The seccomp() system call operates on the seccomp state of the calling process. You can use this feature to restrict your application's access.
No, there is nothing like seccomp that works on Windows. The closest there is are traditional permissions which disable certain privileged syscalls. But currently, there is no way to whitelist or blacklist entire arbitrary syscalls, or syscall arguments on Windows.
148
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
