Generate seccomp profiles for containers using bpf - DevConf.CZ 2020

Speakers: Daniel Walsh, Divyansh Kamboj, Valentin Rothberg Podman is an open-source cli tool for working with containers, pods and container images. It uses a kernel feature called seccomp to filter syscalls made by the processes inside the container. This allows Podman to reduce the attack surface of the kernel which is exposed to the container. Currently, everybody ships the same basic seccomp profile. This tool allows us to generate seccomp rules based on what the container actually requires and allows us to lock down the container by reducing the attack surface to the kernel. This summer Dan Walsh, Valentin Rothberg and worked during Google Summer of Code to create an OCI hook to generate seccomp rules for a container based on the syscalls that the container actually made. This talk will explain how the tool works and demonstrate it in action. [ https://sched.co/YOo8 ] -- Recordings of talks at DevConf are a community effort. Unfortunately not everything works perfectly every time. If you're interested in helping us improve, let us know.