Google, IBM & Meta Certificates — All 10,000+ Courses at 40% Off
One annual plan covers every course and certificate on Coursera. 40% off for a limited time.
Get Full Access
Explore the intricacies of container security through system call interception in this 50-minute Linux Foundation talk. Delve into the seccomp system call interception mechanism introduced in Linux 5.9, understanding its potential for enhancing container security. Learn about the challenges and proper implementation techniques to avoid time of check/time of use issues. Discover how this technology enables unprivileged containers to perform privileged tasks selectively through a monitoring process. Examine LXD's practical applications of system call interception, including uses for "setxattr," "bpf," "mount," and "mknod" system calls. Gain insights into the innovative approach of intercepting "mount" system calls and replacing them with FUSE mounts. Cover topics such as different container types, seccomp fundamentals, safety concerns, mount and sysinfo operations, and future developments in container security.
