{"guid":"18b9979c-f66d-5009-b3e7-7d5184fd185e","title":"Generating seccomp profiles for containers using podman and eBPF","subtitle":null,"slug":"ASG2019-140-generating-seccomp-profiles-for-containers-using-podman-and-ebpf","link":"https://cfp.all-systems-go.io/ASG2019/talk/ACEWHG/","description":"Currently everyone uses the same seccomp rules for running their containers.  This tool allows us to generate seccomp rules based on what the container actually requires and allows us to lock down the container.\n\nWe had a GSOC student this summer  who instrumented podman to allow it to run containers and then genrate the seccomp rules for the container based on the syscalls that the container actually made.  \n\nOnce you have this newly generate seccomp file and are satisfied that you have thoroughly tested the container, you can run the container inproduction using the seccomp.json file.\n\nThis talk will explain how the tool works and demonstrate it in action.","original_language":"eng","persons":["Dan Walsh"],"tags":["asg2019","140","2019"],"view_count":230,"promoted":false,"date":"2019-09-21T00:00:00.000+02:00","release_date":"2019-09-21T02:00:00.000+02:00","updated_at":"2026-03-27T13:15:05.448+01:00","length":1615,"duration":1615,"thumb_url":"https://static.media.ccc.de/media/events/all_systems_go/2019/140-hd.jpg","poster_url":"https://static.media.ccc.de/media/events/all_systems_go/2019/140-hd_preview.jpg","timeline_url":"https://static.media.ccc.de/media/events/all_systems_go/2019/140-hd.timeline.jpg","thumbnails_url":"https://static.media.ccc.de/media/events/all_systems_go/2019/140-hd.thumbnails.vtt","frontend_link":"https://media.ccc.de/v/ASG2019-140-generating-seccomp-profiles-for-containers-using-podman-and-ebpf","url":"https://api.media.ccc.de/public/events/18b9979c-f66d-5009-b3e7-7d5184fd185e","conference_title":"All Systems Go! 2019","conference_url":"https://api.media.ccc.de/public/conferences/asg2019","related":[{"event_id":7870,"event_guid":"878e4754-c346-5b93-96d2-1ca8bf5109c3","weight":5},{"event_id":7875,"event_guid":"21aca390-bc0c-5eef-a867-1b57a7ee36ab","weight":4},{"event_id":7878,"event_guid":"dcabb3af-fcac-5e83-a77d-5aa655cd95b3","weight":1},{"event_id":7879,"event_guid":"b5ead4a4-e2f5-55d1-8ce1-ae27fbab329c","weight":2},{"event_id":7880,"event_guid":"8617d047-766c-5837-9350-a35c6d29d7cb","weight":4},{"event_id":7882,"event_guid":"a738a107-7051-544d-98cf-b6c3adce4a3f","weight":5},{"event_id":7883,"event_guid":"40aa2960-6288-5a2f-bf6f-268746f0ecdf","weight":5},{"event_id":7886,"event_guid":"df4ceb70-2c63-538c-b581-e60adc89f261","weight":3},{"event_id":7891,"event_guid":"355ea6a0-d58b-5a47-a613-312ede6b1859","weight":5},{"event_id":7893,"event_guid":"7bc76c4b-311d-55e4-b60e-1c837b15ed7b","weight":4},{"event_id":7894,"event_guid":"b9883475-56ad-5749-9c65-e178a1e6bbfb","weight":8},{"event_id":7914,"event_guid":"53354cbe-c92f-5c48-82e3-194690b28f0c","weight":4},{"event_id":7918,"event_guid":"147efef1-ba80-5748-9655-fb5cd41f61f9","weight":4},{"event_id":7922,"event_guid":"090131ec-ac5c-5b60-85a0-6d080ea4054c","weight":1}],"recordings":[{"size":64,"length":1615,"mime_type":"video/webm","language":"eng","filename":"asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_webm-sd.webm","state":"new","folder":"webm-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-09-21T18:33:43.522+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2019/webm-sd/asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_webm-sd.webm","url":"https://api.media.ccc.de/public/recordings/40543","event_url":"https://api.media.ccc.de/public/events/18b9979c-f66d-5009-b3e7-7d5184fd185e","conference_url":"https://api.media.ccc.de/public/conferences/asg2019"},{"size":24,"length":1615,"mime_type":"audio/mpeg","language":"eng","filename":"asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_mp3.mp3","state":"new","folder":"mp3","high_quality":false,"width":0,"height":0,"updated_at":"2019-09-21T18:33:53.960+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2019/mp3/asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_mp3.mp3","url":"https://api.media.ccc.de/public/recordings/40544","event_url":"https://api.media.ccc.de/public/events/18b9979c-f66d-5009-b3e7-7d5184fd185e","conference_url":"https://api.media.ccc.de/public/conferences/asg2019"},{"size":165,"length":1615,"mime_type":"video/webm","language":"eng","filename":"asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_webm-hd.webm","state":"new","folder":"webm-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-09-21T18:34:35.156+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2019/webm-hd/asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_webm-hd.webm","url":"https://api.media.ccc.de/public/recordings/40546","event_url":"https://api.media.ccc.de/public/events/18b9979c-f66d-5009-b3e7-7d5184fd185e","conference_url":"https://api.media.ccc.de/public/conferences/asg2019"},{"size":44,"length":1615,"mime_type":"video/mp4","language":"eng","filename":"asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_sd.mp4","state":"new","folder":"h264-sd","high_quality":false,"width":720,"height":576,"updated_at":"2019-09-21T18:35:13.939+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2019/h264-sd/asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_sd.mp4","url":"https://api.media.ccc.de/public/recordings/40549","event_url":"https://api.media.ccc.de/public/events/18b9979c-f66d-5009-b3e7-7d5184fd185e","conference_url":"https://api.media.ccc.de/public/conferences/asg2019"},{"size":105,"length":1615,"mime_type":"video/mp4","language":"eng","filename":"asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_hd.mp4","state":"new","folder":"h264-hd","high_quality":true,"width":1920,"height":1080,"updated_at":"2019-09-21T18:37:43.992+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2019/h264-hd/asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_hd.mp4","url":"https://api.media.ccc.de/public/recordings/40550","event_url":"https://api.media.ccc.de/public/events/18b9979c-f66d-5009-b3e7-7d5184fd185e","conference_url":"https://api.media.ccc.de/public/conferences/asg2019"},{"size":14,"length":1615,"mime_type":"audio/opus","language":"eng","filename":"asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_opus.opus","state":"new","folder":"opus","high_quality":false,"width":0,"height":0,"updated_at":"2019-09-21T18:39:07.789+02:00","recording_url":"https://cdn.media.ccc.de/events/all_systems_go/2019/opus/asg2019-140-eng-Generating_seccomp_profiles_for_containers_using_podman_and_eBPF_opus.opus","url":"https://api.media.ccc.de/public/recordings/40555","event_url":"https://api.media.ccc.de/public/events/18b9979c-f66d-5009-b3e7-7d5184fd185e","conference_url":"https://api.media.ccc.de/public/conferences/asg2019"}]}