Collected molecules will appear here. Add from search or explore.
SeccompRules -> SyscallRestrictions
Apply a BPF syscall filter to a target container process context based on a declarative JSON list of permitted and blocked syscalls.
Problem it solves
Containers running arbitrary code must be restricted from making dangerous or unauthorized host kernel calls.
Consumes
Emits
The real projects this mechanism was found in. Attribution is the point — this is how the best teams actually do it.