FreeBSD Capsicum Vs. Linux Seccomp Process Sandboxing

The Unix security model historically granted a compromised process the same privileges as its user, exposing the entire filesystem, network stack, and process table. As the internet grew, this ambient authority became a liability, prompting operating‑system designers to rethink sandboxing. FreeBSD introduced Capsicum in 2010, embracing a capability‑based philosophy that removes all global access and then selectively restores only the resources a process truly needs. By entering an irreversible capability mode with a single syscall, the process’s attack surface shrinks dramatically, making privilege escalation far more difficult.

Linux’s answer arrived later with seccomp‑bpf, which inserts a programmable filter between the process and the kernel. Developers craft an allow‑list of syscalls, and any call not on the list is killed or denied. While this approach is flexible and has been adopted widely—protecting containers, Android apps, and browsers—it retains full file‑descriptor rights, meaning a compromised process can still misuse open resources. Moreover, each new kernel syscall can create gaps in existing profiles, requiring ongoing updates to maintain security.

In practice, the divergence is evident. FreeBSD’s tcpdump, dhclient, and other privileged utilities run in Capsicum mode, limiting themselves to a handful of descriptors and operations. Linux containers and Chromium rely on seccomp profiles that block hundreds of syscalls but must be meticulously curated. The 2022 CVE‑2022‑30594 incident, where a kernel bug let attackers suspend seccomp enforcement, illustrates the inherent risk of a filter that can be bypassed. Capsicum’s structural removal of the door it protects eliminates such bypasses entirely, offering a compelling argument for capability‑based sandboxing in high‑risk environments.