Seitan: A Plant-Based Recipe Against Syscall Anxiety

Explore a unified approach to privilege separation in containers and virtual machines through this DevConf conference talk. Dive into Seitan, an early development framework that uses a declarative, auditable model for describing security-relevant actions and constraints across virtualization and container stacks. Learn how Seitan leverages system calls as an abstraction for privileged resource access, utilizing BPF and seccomp notifiers. Discover how cluster administrators can create JSON recipes to describe filtered system calls and associate them with privileged operations. Witness practical examples as the speakers demonstrate writing and testing JSON recipes. Gain insights into how Seitan's supervisor evaluates seccomp notifications against bytecode with matches and corresponding actions, offering a flexible solution for enhancing security in untrusted workload execution.