Generating seccomp profiles for containers using podman and eBPF

Cite

Related Material

Chaos Computer Club e.V.

Walsh, Dan

Formal Metadata

Title

Generating seccomp profiles for containers using podman and eBPF

Title of Series

All Systems Go! 2019

Number of Parts

Author

Walsh, Dan

License

CC Attribution 3.0 Unported:
You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor.

Identifiers

10.5446/46117 (DOI)

Publisher

Chaos Computer Club e.V.

Release Date

2019

Language

English

Producer

All Systems Go!

Content Metadata

Subject Area

Computer Science

Genre

Conference/Talk

Abstract

Currently everyone uses the same seccomp rules for running their containers. This tool allows us to generate seccomp rules based on what the container actually requires and allows us to lock down the container. We had a GSOC student this summer who instrumented podman to allow it to run containers and then genrate the seccomp rules for the container based on the syscalls that the container actually made. Once you have this newly generate seccomp file and are satisfied that you have thoroughly tested the container, you can run the container inproduction using the seccomp.json file. This talk will explain how the tool works and demonstrate it in action.