Container Internals and Runtime Engineering

Seccomp, AppArmor, and SELinux

You want to restrict which syscalls a container can make, so that even if it's compromised, it can't do much. Three technologies can do this. Which one, and how?

The concept and how it works

Coming soon.

Kernel and runtime level detail

Coming soon.

Practical examples and commands

Coming soon.

Common mistakes

Coming soon.

INTERVIEW QUESTION

How does a seccomp profile reduce container attack surface? What syscalls would you block and what breaks if you block the wrong ones?