Generating seccomp profiles for containers using podman and eBPF

Dan Walsh

Playlists: 'asg2019' videos starting here / audio / related events

Currently everyone uses the same seccomp rules for running their containers. This tool allows us to generate seccomp rules based on what the container actually requires and allows us to lock down the container.

We had a GSOC student this summer who instrumented podman to allow it to run containers and then genrate the seccomp rules for the container based on the syscalls that the container actually made.

Once you have this newly generate seccomp file and are satisfied that you have thoroughly tested the container, you can run the container inproduction using the seccomp.json file.

This talk will explain how the tool works and demonstrate it in action.