CME-602

seccomp-bpf Profile (Container Default)

Harden OS/Kernel High Confidence

Description

Applies the default OCI/Docker/Podman seccomp-bpf profile which blocks ~44 dangerous syscalls including kexec_load, mount, reboot, and others. Basis for container isolation.

CVSS Vector Impacts

Metric Transition Rationale
Scope (S) C U Blocked syscalls prevent container escape via kernel
Attack Complexity (AC) L H Many kernel exploit primitives require blocked syscalls

CWE Relationships

CWE-78 CWE-119 CWE-269

Verification

Verify container runtime has seccomp profile applied

$ podman inspect <container> | grep -A5 SecurityOpt
# Expected: seccomp
Platform: linux
$ kubectl get pod <pod> -o jsonpath='{.spec.securityContext.seccompProfile.type}'
# Expected: RuntimeDefault
Platform: kubernetes
← CME-601: Kernel-Level Syscall Filtering (seccomp) CME-603: Unprivileged BPF Disabled →