SipsOfCode/infrastructure
2
2
Fork 0
Code Issues 5 Pull requests 4 Releases Activity

Define custom seccomp filters for container services #191

New issue
Open
opened 2025-05-01 20:26:02 +02:00 by histalek · 0 comments
histalek commented 2025-05-01 20:26:02 +02:00
Owner
Copy link

(Semi copy&paste from my old repo)

This would decrease the attack surface for rogue container processes.
Instead of manually checking for needed syscalls, the OCI seccomp runtime hook could be used to create a list of these syscalls.
The hook uses eBPF which needs root privileges. So for rootless containers these would need to be created beforehand in a rootfull way.
Ref.: RH-Article "Improving Linux container security with seccomp

(Semi copy&paste from my old repo) This would decrease the attack surface for rogue container processes. Instead of manually checking for needed syscalls, the [OCI seccomp runtime hook](https://github.com/containers/oci-seccomp-bpf-hook) could be used to create a list of these syscalls. The hook uses [eBPF](https://ebpf.io/what-is-ebpf/) which needs root privileges. So for rootless containers these would need to be created beforehand in a rootfull way. Ref.: [RH-Article "Improving Linux container security with seccomp](https://www.redhat.com/en/blog/container-security-seccomp)
👍 1
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
renovate/fedora.linux_system_roles-1.x
renovate/woodpeckeragent-3.x
renovate/woodpecker-3.x
renovate/community.general-11.x
v25.01
v24.12
v24.10
v24.11
v24.09
v24.08
v24.07
v24.06
v24.05
v24.04
v24.03
v24.02
v24.01
v23.11
v23.12
v23.10
v23.09
v23.08
v23.07
v23.06
v23.05
v23.04
v23.03
v23.02
v23.01
v22.12
v22.11
v22.10
v22.09
v22.08
v22.07
v22.06
v22.05
v22.04
v22.03
v22.02
v22.01
v21.12
v21.11
v21.10
v21.09
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: SipsOfCode/infrastructure#191
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?