seccomp

Jan 1, 0001

Definition

Seccomp, short for Secure Computing Mode, is a Linux kernel feature that restricts the system calls a process can make, thereby reducing the attack surface of the application. It operates by allowing a process to enter a “strict” mode where it can only make a limited set of system calls, or a “filter” mode where specific system calls are allowed or denied based on defined rules. This mechanism is particularly useful in containerized environments to enhance security by preventing potentially harmful system calls.

Secure Settings Example

# Example of a Kubernetes PodSecurityContext using seccomp
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: secure-container
    image: my-secure-image

Insecure Settings Example

# Example of a Kubernetes PodSecurityContext with seccomp disabled
apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  securityContext:
    seccompProfile:
      type: Unconfined
  containers:
  - name: insecure-container
    image: my-insecure-image

seccomp

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter