Killing in the name of eBPF
Presenters: Holger Gantikow, Cedric Casper (science+computing AG, an Atos company)
Session Type: Lightning Talk (5min)
Topics: eBPF, eBPF, Podman
In environments open to bring-your-own-code scenarios, user-provided containers are often given a lower trust status and additional safeguards are enabled. These include Seccomp profiles. Seccomp can be used to restrict processes in a container, by providing the possibility to deny actions on a system call basis. To extend these capabilities we have written a service based on eBPF that detects corresponding violations and reliably terminates the corresponding Podman container. Filters can be applied to monitor only specific users or containers.