June 23 - 24, 2022 | Austin, Texas + Virtual
View More Details & Registration Information

Please note all session times are listed in Central Daylight Time (CDT), UTC -5.
To view the schedule at your preferred time, please choose your location on the right-hand navigation panel under ’Timezone’.
Back To Schedule
Thursday, June 23 • 9:50am - 10:35am
Improving Container Security with System Call Interception - Stephane Graber, Canonical Ltd. & Christian Brauner, Microsoft

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Seccomp system call interception (notify target) has been around since Linux 5.9 and allows for a seccomp policy to stop the execution of a system call, notify userspace about the call and finally return the response provided by the userspace process. It can be tricky to use properly due to potential time of check / time of use issues as well as the need to resolve pointers on some system calls. But when used properly, it allows for very selective interception of actions from a very restricted/unprivileged container by a more privileged monitoring process which can then selectively decide to re-run the call with elevated privileges. This allows for far more workloads to be run in unprivileged containers while retaining the ability to do some of their more privileged tasks. In this talk, we'll be going over the basics of how all of this works as well as the work we've done with system call interception in LXD. LXD currently uses the mechanism to allow some uses of a variety of system calls including "setxattr", "bpf", "mount" and "mknod". One highlight use case is how LXD can intercept some "mount" system calls and transparently replace them with an equivalent FUSE mount.

avatar for Stephane Graber

Stephane Graber

Project leader for LXD, Canonical Ltd.
Stéphane Graber is the upstream project leader for LXC and LXD at Canonical and a frequent speaker and track leader at events related to containers and Linux. Stéphane is a longtime contributor to the Ubuntu Linux distribution as an Ubuntu core developer and previous Ubuntu technical... Read More →
avatar for Christian Brauner

Christian Brauner

Principal Software Engineer, Microsoft Corp.
Christian Brauner is a kernel developer and maintainer of the LXD and LXC projects currently working at Microsoft. He works mostly upstream on the Linux Kernel maintaining various bits and pieces. He is strongly committed to working in the open, and an avid proponent of Free Software... Read More →

Thursday June 23, 2022 9:50am - 10:35am CDT