Devconf.cz 2023 has ended
Friday, June 16 • 1:30pm - 2:05pm
seitan: A plant-based recipe against syscall anxiety

Sign up or log in to save this to your schedule, view media, leave feedback and see who's attending!

Feedback form is now closed.
Privilege separation in containers and virtual machines is an essential security factor for the execution of untrusted workloads. Security-relevant actions are typically mediated and performed by privileged components, on behalf of applications.

There is currently no common framework to describe these actions and security constraints, across virtualisation and container stacks.
Seitan (early development) opts for a unified, declarative, auditable approach over the imperative model found in existing solutions, using system calls as abstraction for access to privileged resources, leveraging BPF and seccomp notifiers.

Cluster administrators describe filtered system calls in a JSON recipe, associating them with privileged operations. The supervisor evaluates seccomp notifications against a bytecode with matches and corresponding actions.

In this talk, we’ll write (and test!) example JSON recipes.

With Seitan you can bake any recipe to suit your taste!

avatar for Alice Frosi

Alice Frosi

Principal Engineer, Red Hat
Alice is a Principal Software Engineer working on KubeVirt, virtualization, and containers. She focuses mostly on storage topics but she has fun exploring all possible combinations of containers and VMs.
avatar for Stefano Brivio

Stefano Brivio

Principal Software Engineer, Red Hat GmbH
Stefano is a Principal Software Engineer at Red Hat, currently working on a virtualisation team with focus on networking. A long-time Linux kernel developer, with recent contributions mostly centered on netfilter (authored nft_set_pipapo) and core networking (IPv6, routing). He recently... Read More →

Friday June 16, 2023 1:30pm - 2:05pm CEST
E112 | Talks