7.3.14.5 Increased Security for Storage Server Processes

The secure computing (seccomp) feature in the Oracle Linux kernel is used to restrict the system calls that can be made from a process.

The Oracle Linux kernel has a few hundred system calls, but most of them are not needed by any given process. A seccomp filter defines whether a system call is allowed or restricted. Seccomp filters are installed for cell server and cell offload server processes automatically on an upgrade. An allowlist of system calls are allowed to be made from cell server and cell offload server. For certain allowlist system calls, the seccomp filters perform an additional validation of the arguments.

Seccomp filters provide a higher level of security for the cell processes. This feature is automatically enabled in Oracle Exadata System Software release 19.1.0.