Expand description
Linux seccomp-BPF filter analysis for container security forensics.
Seccomp (secure computing) profiles restrict the syscalls available to a process. In containerized environments, seccomp-BPF filters are the primary syscall-level sandbox. Analyzing these from memory helps detect container escape attempts – processes running with no seccomp filter (unconfined) inside a container are highly suspicious.
The kernel stores seccomp state in task_struct.seccomp:
seccomp.mode: 0 = disabled, 1 = strict, 2 = filterseccomp.filter: pointer to a chain ofseccomp_filterstructs linked viaseccomp_filter.prev.
Structs§
- Seccomp
Info - Seccomp profile information extracted from a process’s
task_struct.
Functions§
- walk_
seccomp_ profiles - Walk seccomp profile information for each process in the provided list.