System Calls
System calls allow the kernel to carefully expose certain key pieces of functionality to user programs, such as accessing the file system, creating and destroying processes, communicating with other processes, and allocating more memory.
Early Unix systems exposed around twenty calls, Linux and OpenBSD each have over 300 different calls, NetBSD has close to 500, FreeBSD has over 500.
A system call is a C procedure call, the change of mode is achieved by special instructions hidden inside:
trap
instruction: enter kernel mode.return-from-trap
instruction: back to user program in user mode.
ioctl
Controls hardware devices.
Kernel accepts device drivers as extra modules. Device drivers run in kernel space and can directly address the device. ioctl
is a single system call that userspace can use it to communicate with device drivers.
Unix command-line interface is built on pseudo terminals, which are controlled as if they were hardware devices, so ioctl
is used.
seccomp
Secure computing mode (seccomp): Any system calls not on the list are disallowed.
It can be used to sandbox the privileges of a process, restricting the calls it is able to make from userspace into the kernel.