diff --git a/BUILD.gn b/BUILD.gn
index 25fc7e482737b10a965d8c2f9f26e95486c07454..3964cfee99509d81ca3d250c299a41caed983c3e 100644
--- a/BUILD.gn
+++ b/BUILD.gn
@@ -31,6 +31,7 @@ config("appspawn_config") {
     "//base/startup/init/services/loopevent/include",
     "//base/startup/init/interfaces/innerkits/include",
     "//third_party/json/include",
+    "//base/startup/init/services/modules/seccomp/include",
   ]
 
   if (build_selinux) {
@@ -99,8 +100,14 @@ ohos_static_library("appspawn_server") {
     external_deps += [ "selinux:libhap_restorecon" ]
   }
 
+  cflags = []
+  #if (build_seccomp) {
+    cflags += [ "-DWITH_SECCOMP" ]
+    deps += [ "//base/startup/init/services/modules/seccomp:seccomp" ]
+  #}
+
   if (appspawn_report_event) {
-    cflags = [ "-DREPORT_EVENT" ]
+    cflags += [ "-DREPORT_EVENT" ]
     deps += [ "adapter/sysevent:event_reporter" ]
   }
 
@@ -145,6 +152,12 @@ ohos_static_library("nwebspawn_server") {
     external_deps += [ "selinux:libhap_restorecon" ]
   }
 
+  cflags = []
+  #if (build_seccomp) {
+    cflags += [ "-DWITH_SECCOMP" ]
+    deps += [ "//base/startup/init/services/modules/seccomp:seccomp" ]
+  #}
+
   subsystem_name = "${subsystem_name}"
   part_name = "${part_name}"
 }
diff --git a/common/appspawn_server.c b/common/appspawn_server.c
index 0d369e2fd0a4485a8c6f0378aea1fe493c04a5ab..b3a20cf1c71df57573b5964d67abbaea7bc3937c 100644
--- a/common/appspawn_server.c
+++ b/common/appspawn_server.c
@@ -93,6 +93,14 @@ int DoStartApp(struct AppSpawnContent_ *content, AppSpawnClient *client, char *l
             return ret, "Failed to set setProcessName");
     }
 
+#ifdef WITH_SECCOMP
+    if (content->setSeccompFilter) {
+        ret = content->setSeccompFilter(content, client);
+        APPSPAWN_CHECK(ret == 0, NotifyResToParent(content, client, ret);
+	    return ret, "Failed to set setSeccompFilter");
+    }
+#endif
+
     if (content->setUidGid) {
         ret = content->setUidGid(content, client);
         APPSPAWN_CHECK(ret == 0, NotifyResToParent(content, client, ret);
diff --git a/common/appspawn_server.h b/common/appspawn_server.h
index 39f46cdd5eec5a837dbcd8396a6aea43481a5501..24d10c10d4546aba87ba852774ad68baa31023a3 100644
--- a/common/appspawn_server.h
+++ b/common/appspawn_server.h
@@ -79,6 +79,9 @@ typedef struct AppSpawnContent_ {
 #ifdef ASAN_DETECTOR
     int (*getWrapBundleNameValue)(struct AppSpawnContent_ *content, AppSpawnClient *client);
 #endif
+#ifdef WITH_SECCOMP
+    int (*setSeccompFilter)(struct AppSpawnContent_ *content, AppSpawnClient *client);
+#endif
 } AppSpawnContent;
 
 AppSpawnContent *AppSpawnCreateContent(const char *socketName, char *longProcName, uint32_t longProcNameLen, int cold);
diff --git a/standard/appspawn_process.c b/standard/appspawn_process.c
index 26a26ff020a0c39ccab19cd720c89691b5cad162..1def09468a216b8d0442045b4ab934697e31a858 100644
--- a/standard/appspawn_process.c
+++ b/standard/appspawn_process.c
@@ -31,6 +31,9 @@
 
 #include "securec.h"
 #include "parameter.h"
+#ifdef WITH_SECCOMP
+#include "seccomp_policy.h"
+#endif
 
 #define DEVICE_NULL_STR "/dev/null"
 
@@ -376,6 +379,19 @@ int GetAppSpawnClientFromArg(int argc, char *const argv[], AppSpawnClientExt *cl
     return 0;
 }
 
+#ifdef WITH_SECCOMP
+static int SetSeccompFilter(struct AppSpawnContent_ *content, AppSpawnClient *client)
+{
+#ifdef NWEB_SPAWN
+    if (!SetSeccompPolicy(NWEBSPAWN)) {
+        APPSPAWN_LOGE("init seccomp failed");
+	return -1;
+    }
+#endif
+    return 0;
+}
+#endif
+
 void SetContentFunction(AppSpawnContent *content)
 {
     APPSPAWN_LOGI("SetContentFunction");
@@ -391,4 +407,7 @@ void SetContentFunction(AppSpawnContent *content)
 #ifdef ASAN_DETECTOR
     content->getWrapBundleNameValue = GetWrapBundleNameValue;
 #endif
+#ifdef WITH_SECCOMP
+    content->setSeccompFilter = SetSeccompFilter;
+#endif
 }
diff --git a/standard/appspawn_service.c b/standard/appspawn_service.c
index 071d952e5dad8ce58985f55dc5218b41e68c5171..f9e828d2b53e5537f3db0743c790ef3ef7e04e08 100644
--- a/standard/appspawn_service.c
+++ b/standard/appspawn_service.c
@@ -28,6 +28,10 @@
 #include "parameter.h"
 #include "securec.h"
 
+#ifdef WITH_SECCOMP
+#include "seccomp_policy.h"
+#endif
+
 #ifdef REPORT_EVENT
 #include "event_reporter.h"
 #endif
@@ -447,6 +451,17 @@ static void NotifyResToParent(struct AppSpawnContent_ *content, AppSpawnClient *
     close(fd);
 }
 
+#ifdef WITH_SECCOMP
+bool SetUidGidFliter(void)
+{
+    if (!SetSeccompPolicy(APPSPAWN)) {
+        APPSPAWN_LOGE("SetSeccompPolicy APPSPAWN failed");
+        return false;
+    }
+    return true;
+}
+#endif
+
 static void AppSpawnInit(AppSpawnContent *content)
 {
     AppSpawnContentExt *appSpawnContent = (AppSpawnContentExt *)content;
@@ -461,6 +476,11 @@ static void AppSpawnInit(AppSpawnContent *content)
     // set private function
     SetContentFunction(content);
 
+    // set uid gid filetr
+#ifdef WITH_SECCOMP
+    APPSPAWN_CHECK(SetUidGidFliter() == true, return, "SetUidGidFliter failed");
+#endif
+
     // load app sandbox config
     LoadAppSandboxConfig();
 }