Generating seccomp profiles for containers using podman and eBPF
09-21, 14:05–14:30 (Europe/Berlin), Cage

Currently everyone uses the same seccomp rules for running their containers. This tool allows us to generate seccomp rules based on what the container actually requires and allows us to lock down the container.


We had a GSOC student this summer who instrumented podman to allow it to run containers and then genrate the seccomp rules for the container based on the syscalls that the container actually made.

Once you have this newly generate seccomp file and are satisfied that you have thoroughly tested the container, you can run the container inproduction using the seccomp.json file.

This talk will explain how the tool works and demonstrate it in action.

Daniel Walsh is a Senior Distinguished Engineer at Red Hat. Joined Red Hat in August 2001. Red Hat Container Runtime Engineering team Architect. Focuses on CRI-O, Buildah, Podman, containers/storage and containers/image. Previos leader of the SELinux project.