On Linux, open() from glibc places the syscall number for open (5 on x86-64) in rax, the flags and mode arguments in rdi, rsi, rdx, and fires the syscall instruction. The CPU transitions to ring 0 and jumps to the syscall entry point. The kernel's handler validates the path pointer (ensuring it doesn't point into kernel memory), checks file permissions, allocates a file descriptor, creates an open file description, and returns the fd number. On error, it returns -1 and sets errno. The calling program checks the return value and handles the error if negative.

int 0x80 is the legacy 32-bit Linux syscall mechanism — a software interrupt that transfers control to kernel mode via interrupt descriptor table entry 0x80. It was the only mechanism on early Linux. syscall is the modern 64-bit instruction introduced with x86-64 that performs a direct CPU transition to kernel mode without interrupt overhead — it's faster and has dedicated registers for syscall arguments (rdi, rsi, rdx, r10, r8, r9). The kernel maintains separate syscall tables for each mode, and int 0x80 cannot enter the 64-bit kernel.

malloc() is a library function in glibc/musl, not a syscall. It manages a heap within a process's address space by calling brk() or mmap() to request memory pages from the kernel — those are the actual syscalls. This design separates concerns: the kernel manages page-level allocation, while the C library manages byte-level heap semantics (coalescing free blocks, binning by size, alignment). The library also caches freed memory rather than returning it immediately to the kernel, which amortizes syscall overhead. Most malloc() calls never touch the kernel at all.

VDSO (Virtual Dynamic Shared Object) is a shared library the kernel maps into every process's address space at a randomized location. It contains kernel code that has been pre-compiled and exposes pre-computed values for certain syscalls — notably clock_gettime(). Instead of crossing the user/kernel boundary with a syscall instruction, the libc simply reads the VDSO page, which contains the time value already computed by the kernel. This eliminates the privilege switch overhead entirely for these "get" operations. You can verify VDSO is present with cat /proc/self/maps | grep vdso.

fork() is syscall number 57 on x86-64. The kernel's fork handler creates a new process control block (PCB/struct task_struct), duplicates the parent's memory mappings (copy-on-write — pages are shared until either parent or child writes to them), copies the file descriptor table (each fd points to the same open file description, reference count incremented), and sets up the child process's registers so it returns 0 from fork() while the parent gets the child's PID. The key insight is that the kernel doesn't copy the entire memory — just the page table entries, which makes fork fast even for large processes.

seccomp (Secure Computing Mode) is a Linux kernel feature that restricts which syscalls a process may invoke. In strict mode, the only allowed syscalls are read, write, _exit, and sigreturn — anything else kills the process with SIGKILL. Docker uses seccomp-BPF (an extension) to define fine-grained filters based on syscall number and arguments. By default, Docker blocks around 44 syscalls that are not needed for normal container operation — including mount(), syslog(), and module loading. This dramatically reduces the attack surface: even if an attacker compromises the container process, they cannot escalate to host-level access through syscalls the container isn't allowed to make.

C doesn't have exceptions as a language feature (it was added later as a library convention with setjmp/longjmp). Unix was designed in the 1970s with C, and the error model reflects this: syscalls return a signed integer — non-negative values are success (including 0 for read returning no bytes, which is valid), -1 indicates error. The kernel sets the global errno variable to a positive value encoding which error occurred (EFAULT, ENOENT, EPERM, etc.). This maps naturally onto C's error-checking idiom: if (fd < 0) handle_error(). Python, Go, and other languages wrap this underlying contract in their own exception or error-return patterns, but the kernel interface stays the same.

A file descriptor is a small non-negative integer (typically 0, 1, 2 for stdin/stdout/stderr, then 3 upward) that indexes into the per-process file descriptor table. An open file description (also called an open file table entry) is a kernel data structure storing the current file offset, access mode, and a reference to the inode. When you fork(), the child has its own fd table but the entries point to the same open file descriptions — this is why both parent and child see updates to the file offset. When you dup() an fd, both point to the same open file description. File descriptors are process-local; open file descriptions are reference-counted kernel objects that outlive individual fds pointing to them.

dup() returns a new file descriptor that points to the same open file description as the original fd — the kernel allocates the lowest available fd number. dup2(oldfd, newfd) explicitly assigns the duplicated fd to a specific descriptor number you choose, closing newfd first if it's already open. The main use case for dup2() is redirecting standard input, output, or error before executing a child process — for example, redirecting STDIN_FILENO to a file without worrying about what fd number you get back. It also atomically handles the close-of-old-fd case, which matters in multithreaded programs where a fd being closed in another thread could be reused between the close() and dup() in a non-atomic sequence.

pipe(int fds[2]) creates a unidirectional communication channel and returns two file descriptors — fds[0] for reading, fds[1] for writing. Data written to fds[1] can be read from fds[0]. The canonical pattern is: call pipe(), then fork(). After fork, the child typically closes the read end and writes; the parent closes the write end and reads. The kernel's pipe implementation uses a circular buffer in kernel memory. If a process calls pipe() without forking, you have a one-directional channel within a single process — useful for subprocess communication in the same process tree.

fork() creates a new process — it duplicates the calling process, giving the child a copy of the parent's memory, file descriptors, and register state (except the child gets 0 return from fork while the parent gets the child's PID). execve() does not create a new process — it replaces the current process's address space with a new program image, loading the executable from disk and resetting registers, stack, and heap. The typical sequence is: fork() to create a child process, then the child calls execve() to run a different program while inheriting the parent's open file descriptors (which is why pipes redirecting stdin/stdout work with subprocesses). Without execve, fork alone just gives you a clone of the same program running in two processes.

brk() moves the program break (the end of the heap) up or down by a requested amount — it's a simple interface for adjusting how much heap the kernel has allocated to the process. mmap() is more general: it creates a new memory mapping in the process's virtual address space. Mappings can be file-backed (mapping a file's contents into memory) or anonymous (just allocated pages with no backing store). malloc() uses both — small allocations come from the heap managed by brk-style logic inside glibc, while large allocations (typically > 128KB) call mmap() directly to get whole pages directly from the kernel without fragmenting the heap. The key difference is that brk reuses a single heap region while mmap creates entirely new non-contiguous virtual memory regions.

On fork(), the child receives a copy of the parent's file descriptor table — each entry points to the same open file description in the kernel, with the reference count incremented. File descriptors are not duplicated by value; they share the underlying kernel object. The file descriptor flags (FD_CLOEXEC) determine behavior on execve(): if FD_CLOEXEC is set, the fd is automatically closed when the process calls exec. This is how daemons close stdin/stdout/stderr before exec — they set FD_CLOEXEC on the relevant fds before calling execve, so the new program doesn't inherit the parent's file descriptors.

access(path, mode) checks whether the calling process has permission to access a file at a given path — it tests read, write, or execute permissions without actually opening the file. The mode flags are R_OK, W_OK, X_OK, and F_OK (existence check). You'd use access() when you want to test permissions before taking an action that might fail — for example, checking if a file is readable before loading it, or checking execute permission before running a subprocess. Unlike open(), it does not create a file descriptor, does not track the file in the process's fd table, and doesn't update the file's access time. It's purely a permission check against the process's effective UID/GID.

ioctl(fd, request, ...) is a catch-all syscall for device-specific operations that don't fit the standard read/write/open/close model. It takes a file descriptor (often from opening a device node like /dev/tty or a socket) and a request code that uniquely identifies the operation — the third argument is polymorphic, depending on the request. Examples: TIOCGWINSZ to get terminal window size, FIONREAD to get bytes available to read on a file descriptor, SIOCGIFCONF to get network interface addresses. The request codes are typically defined in header files like <sys/ioctl.h> or device-specific headers. It's "miscellaneous" because it's the syscall that doesn't fit neatly into any other category — each device driver implements its own ioctl operations.

prctl(option, arg2, arg3, arg4, arg5) is a multi-purpose syscall for configuring process-level kernel features. Its behavior depends entirely on the option argument. Common uses include: PR_SET_SECCOMP to enable seccomp (the first argument after SECCOMP_MODE_STRICT), PR_SET_PDEATHSIG to set a signal delivered to the process when its parent dies, PR_SET_NAME to set the process name visible in /proc/self/status, and PR_GET_DUMPABLE to query whether core dumps can be made after setuid operations. It's the primary interface for process self-configuration that doesn't fit elsewhere. seccomp-BPF extends this by using prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_program) to load BPF filter programs.

File descriptors are preserved across execve() — they remain open and point to the same open file descriptions they referenced before the exec. The file descriptor table itself is replaced entirely (the child process gets a fresh fd table on fork, then that table is reused on exec). The key exception is if FD_CLOEXEC flag is set on a fd, the kernel automatically closes it during exec as a safety measure. This design supports the common Unix pattern where a parent sets up pipes before forking and execing a child — the child inherits the pipe fds and they remain open during exec so the new program can use them. Without this, redirecting stdin/stdout in subprocesses would require the subprocess to explicitly reopen file descriptors after starting.

read() and write() are library functions (in glibc, musl) that wrap the raw syscall(SYS_read, ...) instruction. syscall() itself is a generic function taking a syscall number as its first argument, followed by up to six arguments passed to the kernel. You could theoretically call syscall(SYS_read, fd, buf, count) directly, bypassing the libc wrapper — though normally you wouldn't because the wrapper does argument validation, error handling (setting errno), and in the case of fopen() vs open(), adds buffering. Using the raw syscall() function also bypasses any libc-level interception (some build environments intercept syscalls for debugging or sandboxing). In normal application code, use the wrappers — they're more ergonomic and handle errno correctly.

Each syscall has a unique number (e.g., read = 0, write = 1, open = 2, fork = 57 on x86-64) that serves as an index into the kernel's syscall table. When a user process executes the syscall instruction, the CPU writes the syscall number into rax and arguments into specific registers. The kernel's entry point (in the kernel's assembly code) uses that number to index into an array of function pointers — sys_call_table[rax] — and calls the corresponding handler function. This indirection is why syscall numbers are architecture-specific: the table for x86-64 has different numbers and different handler addresses than for arm64 or x86-32. Userspace libc knows these numbers and passes them correctly when invoking syscall.

The kernel must treat syscall arguments as potentially malicious because they point to memory in user space — a malicious program could pass a pointer to kernel memory to try to read it, or a NULL pointer to crash the kernel. Every pointer argument is validated before use: the kernel checks whether the address falls within the user portion of the address space (access_ok() in Linux), and dereferencing must go through functions like copy_from_user() or get_user() that copy data safely from user to kernel memory, returning an error code if the copy fails. A common attack is passing a kernel-space address — the kernel must reject it. This is also why seccomp filters inspect syscall arguments; even the kernel's own syscall handler can't assume callers are well-behaved. Pointer validation is why a NULL fd to write() returns EBADF rather than crashing the kernel.

On Linux, open() from glibc places the syscall number for open (5 on x86-64) in rax, the flags and mode arguments in rdi, rsi, rdx, and fires the syscall instruction. The CPU transitions to ring 0 and jumps to the syscall entry point. The kernel's handler validates the path pointer (ensuring it doesn't point into kernel memory), checks file permissions, allocates a file descriptor, creates an open file description, and returns the fd number. On error, it returns -1 and sets errno. The calling program checks the return value and handles the error if negative.

int 0x80 is the legacy 32-bit Linux syscall mechanism — a software interrupt that transfers control to kernel mode via interrupt descriptor table entry 0x80. It was the only mechanism on early Linux. syscall is the modern 64-bit instruction introduced with x86-64 that performs a direct CPU transition to kernel mode without interrupt overhead — it's faster and has dedicated registers for syscall arguments (rdi, rsi, rdx, r10, r8, r9). The kernel maintains separate syscall tables for each mode, and int 0x80 cannot enter the 64-bit kernel.

malloc() is a library function in glibc/musl, not a syscall. It manages a heap within a process's address space by calling brk() or mmap() to request memory pages from the kernel — those are the actual syscalls. This design separates concerns: the kernel manages page-level allocation, while the C library manages byte-level heap semantics (coalescing free blocks, binning by size, alignment). The library also caches freed memory rather than returning it immediately to the kernel, which amortizes syscall overhead. Most malloc() calls never touch the kernel at all.

VDSO (Virtual Dynamic Shared Object) is a shared library the kernel maps into every process's address space at a randomized location. It contains kernel code that has been pre-compiled and exposes pre-computed values for certain syscalls — notably clock_gettime(). Instead of crossing the user/kernel boundary with a syscall instruction, the libc simply reads the VDSO page, which contains the time value already computed by the kernel. This eliminates the privilege switch overhead entirely for these "get" operations. You can verify VDSO is present with cat /proc/self/maps | grep vdso.

fork() is syscall number 57 on x86-64. The kernel's fork handler creates a new process control block (PCB/struct task_struct), duplicates the parent's memory mappings (copy-on-write — pages are shared until either parent or child writes to them), copies the file descriptor table (each fd points to the same open file description, reference count incremented), and sets up the child process's registers so it returns 0 from fork() while the parent gets the child's PID. The key insight is that the kernel doesn't copy the entire memory — just the page table entries, which makes fork fast even for large processes.

seccomp (Secure Computing Mode) is a Linux kernel feature that restricts which syscalls a process may invoke. In strict mode, the only allowed syscalls are read, write, _exit, and sigreturn — anything else kills the process with SIGKILL. Docker uses seccomp-BPF (an extension) to define fine-grained filters based on syscall number and arguments. By default, Docker blocks around 44 syscalls that are not needed for normal container operation — including mount(), syslog(), and module loading. This dramatically reduces the attack surface: even if an attacker compromises the container process, they cannot escalate to host-level access through syscalls the container isn't allowed to make.

C doesn't have exceptions as a language feature (it was added later as a library convention with setjmp/longjmp). Unix was designed in the 1970s with C, and the error model reflects this: syscalls return a signed integer — non-negative values are success (including 0 for read returning no bytes, which is valid), -1 indicates error. The kernel sets the global errno variable to a positive value encoding which error occurred (EFAULT, ENOENT, EPERM, etc.). This maps naturally onto C's error-checking idiom: if (fd < 0) handle_error(). Python, Go, and other languages wrap this underlying contract in their own exception or error-return patterns, but the kernel interface stays the same.

A file descriptor is a small non-negative integer (typically 0, 1, 2 for stdin/stdout/stderr, then 3 upward) that indexes into the per-process file descriptor table. An open file description (also called an open file table entry) is a kernel data structure storing the current file offset, access mode, and a reference to the inode. When you fork(), the child has its own fd table but the entries point to the same open file descriptions — this is why both parent and child see updates to the file offset. When you dup() an fd, both point to the same open file description. File descriptors are process-local; open file descriptions are reference-counted kernel objects that outlive individual fds pointing to them.

dup() returns a new file descriptor that points to the same open file description as the original fd — the kernel allocates the lowest available fd number. dup2(oldfd, newfd) explicitly assigns the duplicated fd to a specific descriptor number you choose, closing newfd first if it's already open. The main use case for dup2() is redirecting standard input, output, or error before executing a child process — for example, redirecting STDIN_FILENO to a file without worrying about what fd number you get back. It also atomically handles the close-of-old-fd case, which matters in multithreaded programs where a fd being closed in another thread could be reused between the close() and dup() in a non-atomic sequence.

pipe(int fds[2]) creates a unidirectional communication channel and returns two file descriptors — fds[0] for reading, fds[1] for writing. Data written to fds[1] can be read from fds[0]. The canonical pattern is: call pipe(), then fork(). After fork, the child typically closes the read end and writes; the parent closes the write end and reads. The kernel's pipe implementation uses a circular buffer in kernel memory. If a process calls pipe() without forking, you have a one-directional channel within a single process — useful for subprocess communication in the same process tree.

fork() creates a new process — it duplicates the calling process, giving the child a copy of the parent's memory, file descriptors, and register state (except the child gets 0 return from fork while the parent gets the child's PID). execve() does not create a new process — it replaces the current process's address space with a new program image, loading the executable from disk and resetting registers, stack, and heap. The typical sequence is: fork() to create a child process, then the child calls execve() to run a different program while inheriting the parent's open file descriptors (which is why pipes redirecting stdin/stdout work with subprocesses). Without execve, fork alone just gives you a clone of the same program running in two processes.

brk() moves the program break (the end of the heap) up or down by a requested amount — it's a simple interface for adjusting how much heap the kernel has allocated to the process. mmap() is more general: it creates a new memory mapping in the process's virtual address space. Mappings can be file-backed (mapping a file's contents into memory) or anonymous (just allocated pages with no backing store). malloc() uses both — small allocations come from the heap managed by brk-style logic inside glibc, while large allocations (typically > 128KB) call mmap() directly to get whole pages directly from the kernel without fragmenting the heap. The key difference is that brk reuses a single heap region while mmap creates entirely new non-contiguous virtual memory regions.

On fork(), the child receives a copy of the parent's file descriptor table — each entry points to the same open file description in the kernel, with the reference count incremented. File descriptors are not duplicated by value; they share the underlying kernel object. The file descriptor flags (FD_CLOEXEC) determine behavior on execve(): if FD_CLOEXEC is set, the fd is automatically closed when the process calls exec. This is how daemons close stdin/stdout/stderr before exec — they set FD_CLOEXEC on the relevant fds before calling execve, so the new program doesn't inherit the parent's file descriptors.

access(path, mode) checks whether the calling process has permission to access a file at a given path — it tests read, write, or execute permissions without actually opening the file. The mode flags are R_OK, W_OK, X_OK, and F_OK (existence check). You'd use access() when you want to test permissions before taking an action that might fail — for example, checking if a file is readable before loading it, or checking execute permission before running a subprocess. Unlike open(), it does not create a file descriptor, does not track the file in the process's fd table, and doesn't update the file's access time. It's purely a permission check against the process's effective UID/GID.

ioctl(fd, request, ...) is a catch-all syscall for device-specific operations that don't fit the standard read/write/open/close model. It takes a file descriptor (often from opening a device node like /dev/tty or a socket) and a request code that uniquely identifies the operation — the third argument is polymorphic, depending on the request. Examples: TIOCGWINSZ to get terminal window size, FIONREAD to get bytes available to read on a file descriptor, SIOCGIFCONF to get network interface addresses. The request codes are typically defined in header files like <sys/ioctl.h> or device-specific headers. It's "miscellaneous" because it's the syscall that doesn't fit neatly into any other category — each device driver implements its own ioctl operations.

prctl(option, arg2, arg3, arg4, arg5) is a multi-purpose syscall for configuring process-level kernel features. Its behavior depends entirely on the option argument. Common uses include: PR_SET_SECCOMP to enable seccomp (the first argument after SECCOMP_MODE_STRICT), PR_SET_PDEATHSIG to set a signal delivered to the process when its parent dies, PR_SET_NAME to set the process name visible in /proc/self/status, and PR_GET_DUMPABLE to query whether core dumps can be made after setuid operations. It's the primary interface for process self-configuration that doesn't fit elsewhere. seccomp-BPF extends this by using prctl(PR_SET_SECCOMP, SECCOMP_MODE_FILTER, &bpf_program) to load BPF filter programs.

File descriptors are preserved across execve() — they remain open and point to the same open file descriptions they referenced before the exec. The file descriptor table itself is replaced entirely (the child process gets a fresh fd table on fork, then that table is reused on exec). The key exception is if FD_CLOEXEC flag is set on a fd, the kernel automatically closes it during exec as a safety measure. This design supports the common Unix pattern where a parent sets up pipes before forking and execing a child — the child inherits the pipe fds and they remain open during exec so the new program can use them. Without this, redirecting stdin/stdout in subprocesses would require the subprocess to explicitly reopen file descriptors after starting.

read() and write() are library functions (in glibc, musl) that wrap the raw syscall(SYS_read, ...) instruction. syscall() itself is a generic function taking a syscall number as its first argument, followed by up to six arguments passed to the kernel. You could theoretically call syscall(SYS_read, fd, buf, count) directly, bypassing the libc wrapper — though normally you wouldn't because the wrapper does argument validation, error handling (setting errno), and in the case of fopen() vs open(), adds buffering. Using the raw syscall() function also bypasses any libc-level interception (some build environments intercept syscalls for debugging or sandboxing). In normal application code, use the wrappers — they're more ergonomic and handle errno correctly.

Each syscall has a unique number (e.g., read = 0, write = 1, open = 2, fork = 57 on x86-64) that serves as an index into the kernel's syscall table. When a user process executes the syscall instruction, the CPU writes the syscall number into rax and arguments into specific registers. The kernel's entry point (in the kernel's assembly code) uses that number to index into an array of function pointers — sys_call_table[rax] — and calls the corresponding handler function. This indirection is why syscall numbers are architecture-specific: the table for x86-64 has different numbers and different handler addresses than for arm64 or x86-32. Userspace libc knows these numbers and passes them correctly when invoking syscall.

The kernel must treat syscall arguments as potentially malicious because they point to memory in user space — a malicious program could pass a pointer to kernel memory to try to read it, or a NULL pointer to crash the kernel. Every pointer argument is validated before use: the kernel checks whether the address falls within the user portion of the address space (access_ok() in Linux), and dereferencing must go through functions like copy_from_user() or get_user() that copy data safely from user to kernel memory, returning an error code if the copy fails. A common attack is passing a kernel-space address — the kernel must reject it. This is also why seccomp filters inspect syscall arguments; even the kernel's own syscall handler can't assume callers are well-behaved. Pointer validation is why a NULL fd to write() returns EBADF rather than crashing the kernel.