Loading…
Attending this event?
Back To Schedule
Friday, June 16 • 1:30pm - 2:05pm
seitan: A plant-based recipe against syscall anxiety

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Tweet Share
Privilege separation in containers and virtual machines is an essential security factor for the execution of untrusted workloads. Security-relevant actions are typically mediated and performed by privileged components, on behalf of applications.

There is currently no common framework to describe these actions and security constraints, across virtualisation and container stacks.
Seitan (early development) opts for a unified, declarative, auditable approach over the imperative model found in existing solutions, using system calls as abstraction for access to privileged resources, leveraging BPF and seccomp notifiers.

Cluster administrators describe filtered system calls in a JSON recipe, associating them with privileged operations. The supervisor evaluates seccomp notifications against a bytecode with matches and corresponding actions.

In this talk, we’ll write (and test!) example JSON recipes.

With Seitan you can bake any recipe to suit your taste!
Speakers
avatar for Alice Frosi

Alice Frosi

Developer, Red Hat
I'm a Red Hat developer in cloud and virtualization.
avatar for Stefano Brivio

Stefano Brivio

Principal Software Engineer, Red Hat GmbH
Stefano is a Principal Software Engineer at Red Hat, currently working on a virtualisation team with focus on networking. A long-time Linux kernel developer, with recent contributions mostly centered on netfilter (authored nft_set_pipapo) and core networking (IPv6, routing). He recently... Read More →


Friday June 16, 2023 1:30pm - 2:05pm CEST
E112 | Talks
  Linux Distributions and Operating Systems, Talk
Feedback form isn't open yet.

Attendees (16)