Seccomp - What Can It Do For You?

Explore the capabilities and applications of Seccomp, a system call filtering tool built into Linux, in this 34-minute conference talk by Justin Cormack from Docker. Gain insights into Seccomp's role as a security layer in Docker and its journey towards becoming a default feature in Kubernetes. Learn about the practical benefits of Seccomp for enhancing real-world security and discover best practices for its implementation. Examine the reworking of Docker's default Seccomp policy based on security vulnerabilities encountered over the past five years. Understand how Seccomp can be utilized both as a policy in runtime environments and directly by applications. Delve into the challenges and pitfalls associated with Seccomp usage, particularly as syscalls evolve over time. Analyze case studies of security vulnerabilities and usability issues related to Seccomp implementation.

Intro
Justin Cormack
Secure Computing
In theory
seccomp in practise
In Docker and Kubernetes
Do not use
User namespaces
CVE 2016-3134
CVE 2020-8835
The war on Emacs
Accidentally broke Steam!
Performance
CVE 2018-17182
Don't use it?
Are small blocklists better?
Is it better to push to runtime? 3 Virtual
gVisor
Lambda like?
eBPF LSM
Prediction