seccomp profile

Jan 1, 0001

Definition

Seccomp (Secure Computing Mode) is a Linux kernel feature that restricts the system calls a process can make, thereby reducing the attack surface of the application. A seccomp profile defines a set of allowed and denied system calls for a containerized application, enhancing security by preventing unauthorized or potentially harmful operations. This is particularly useful in containerized environments like Docker or Kubernetes, where limiting system calls can prevent privilege escalation and other security vulnerabilities.

Secure Settings Example

# Kubernetes PodSecurityContext with a seccomp profile
apiVersion: v1
kind: Pod
metadata:
  name: secure-pod
spec:
  securityContext:
    seccompProfile:
      type: RuntimeDefault
  containers:
  - name: secure-container
    image: my-secure-image

Insecure Settings Example

# Kubernetes PodSecurityContext without a seccomp profile
apiVersion: v1
kind: Pod
metadata:
  name: insecure-pod
spec:
  containers:
  - name: insecure-container
    image: my-insecure-image
    securityContext:
      allowPrivilegeEscalation: true

seccomp profile

Definition

Secure Settings Example

Insecure Settings Example

Ask AppSec: free security newsletter

Ask AppSec: free security newsletter