Name: Using Seccomp to Limit the Kernel Attack Surface - Michael Kerrisk, man7.org
Start: 2016-10-05T16:40:00+0200
End: 2016-10-05T17:30:00+0200

October 4-6 in Berlin, Germany
Register Now for LinuxCon+ContainerCon Europe

Back To Schedule

Using Seccomp to Limit the Kernel Attack Surface - Michael Kerrisk, man7.org

Seccomp (secure computing) is a means to limit the system calls a program may make: it can be used to select exactly which system calls are permitted (or denied) and to restrict the arguments that may be passed to those system calls. System call filtering is achieved by writing BPF programs--programs written for a small in-kernel virtual machine that is able to examine system call numbers and arguments. Among other uses, seccomp is by now a key component of various container systems such as Docker and LXC. In this session, I'll provide a bottom-up view of seccomp before going on to examine the BPF virtual machine and some practical examples of filtering programs that restrict the set of permitted system calls. The goal is to give developers and administrators using container frameworks a solid understanding of a tool that has become a fundamental component of container frameworks.

Speakers

Michael Kerrisk

Trainer/consultant, man7.org Training and Consulting

Michael Kerrisk is the author of the acclaimed book, "The Linux Programming Interface" (http://man7.org/tlpi/), a guide and reference for system programming on Linux and UNIX. He contributes to the Linux kernel primarily via documentation, review, and testing of new kernel-user-space... Read More →

Wednesday October 5, 2016 16:40 - 17:30 CEST
Köpenick

Developer View all ContainerCon Sessions

Experience Level Intermediate

Attendees (68)

J
T
S
A
M
G
e
W
S
L
T
H
O
s
W
View All →

LinuxCon+ContainerCon Europe 2016

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Michael Kerrisk

Attendees (68)