Seccomp
Overview
Seccomp (secure computing mode) filters syscalls a process can make. Container runtimes apply seccomp-bpf profiles to reduce attack surface.
Modes
Strict: only read, write, exit, sigreturn allowed.
Filter: programmable filters via BPF (modern usage).
How It Works
Filters are attached per process/thread.
Unallowed syscalls can be blocked, killed, or logged depending on profile.
no_new_privs is commonly set to prevent privilege escalation.
Example (Conceptual)
Allow read/write/exit, block everything else. Runtime applies a JSON profile that compiles to BPF.
Container Notes
Docker ships a default seccomp profile; it can be overridden. Seccomp complements Linux/Containerization/Capabilities and Linux/Containerization/LSM.