Inferensys

Glossary

Seccomp Default Deny

A security profile that blocks all system calls by default for a containerized process, explicitly allowing only a minimal set required for the application to function, reducing the kernel attack surface.
Isolated secure server room with network cables physically disconnected, minimal lighting, security-focused environment.
KERNEL ATTACK SURFACE REDUCTION

What is Seccomp Default Deny?

A security configuration for containerized processes that blocks all system calls by default, explicitly allowing only a minimal, application-required subset.

Seccomp default deny is a security profile that initializes a containerized process with a whitelist-based system call filter, blocking all kernel entry points by default. By loading a Berkeley Packet Filter (BPF) program that returns a SECCOMP_RET_KILL_PROCESS or SECCOMP_RET_ERRNO action for any unlisted syscall, the profile radically constrains the Linux kernel attack surface exposed to a compromised workload.

This approach is a core tenet of container breakout prevention, enforcing the principle of least privilege at the syscall boundary. Unlike a default-allow profile that merely blocks known dangerous calls, a default-deny posture requires profiling the application's exact runtime behavior to generate a precise, minimal allowlist—often using tools like strace or runtime monitors—ensuring that even a zero-day kernel exploit is inert if its required syscall is not explicitly permitted.

Kernel Attack Surface Reduction

Key Features of a Default Deny Seccomp Profile

A default deny seccomp profile is the foundational security posture for containerized workloads, operating on the principle of least privilege at the kernel level. By blocking all system calls by default and explicitly allowlisting only those required for the application to function, it dramatically reduces the pathways available for a container breakout or kernel exploit.

01

The Whitelisting Methodology

Unlike a default-allow approach that tries to blacklist known dangerous calls, a default deny profile starts from a position of absolute zero trust. The profile contains an explicit list of system calls (e.g., read, write, futex, nanosleep) that the process is permitted to invoke. Any unlisted call, such as ptrace, mount, or reboot, results in the kernel immediately terminating the process with a SIGKILL signal. This guarantees that even if an attacker achieves remote code execution within the container, they cannot invoke arbitrary kernel functionality to escape the namespace or install a rootkit.

02

Profile Generation via Strace

Creating a minimal seccomp profile requires tracing the application's legitimate behavior. Tools like strace or runtime security monitors log every system call made during a comprehensive test suite execution. The collected log is then parsed to generate a JSON profile containing only those observed calls. For dynamic languages like Go or Python, it is critical to trace under realistic load, as calls related to garbage collection or thread management (e.g., clone, futex) may only appear under concurrency. This trace-based generation ensures the profile is tailored to the specific application version, avoiding the fragility of generic templates.

03

Argument Filtering Precision

Seccomp-BPF (Berkeley Packet Filter) allows filtering not just on the syscall number but also on the arguments passed to it. A sophisticated default deny profile can allow socket but restrict the domain to AF_INET and AF_INET6, preventing the creation of raw sockets or local Unix sockets if not needed. Similarly, ioctl can be restricted to specific request codes required for terminal operations. This deep argument inspection closes the gap left by simple syscall allowlisting, where a permitted call could still be abused with malicious parameters to achieve privilege escalation.

04

Error Handling and Logging

When a seccomp profile blocks a syscall, the default action is to kill the thread. For production debugging, profiles can be configured to return an error code (like EPERM) instead of killing the process, or to log violations via the audit subsystem before denying. This is critical during the profile development phase. Tools like seccomp-tools or kernel audit logs (/var/log/audit/audit.log) capture the blocked syscall number and arguments, allowing engineers to iteratively refine the allowlist without causing hard crashes. In production, the action should revert to killing the process to fail securely.

05

Interaction with Container Runtimes

Modern container runtimes like containerd and CRI-O integrate seccomp profiles natively via the Kubernetes security context. A default deny profile is typically stored as a JSON file on the host node and referenced by path in the pod spec. The runtime applies the profile before the container process starts, making it an immutable part of the container's security boundary. This is distinct from userspace wrappers, as the enforcement happens directly in the kernel's seccomp filter evaluation path, which is highly performant and cannot be bypassed by the containerized process itself.

06

Defense Against Kernel Exploits

The primary value of a default deny profile is mitigating zero-day kernel vulnerabilities. Many container breakout exploits rely on invoking obscure or rarely used system calls (e.g., keyctl, userfaultfd, bpf) to trigger a use-after-free or privilege escalation bug in the kernel. By blocking these calls entirely, the seccomp filter neutralizes the exploit vector before the vulnerable kernel code is ever reached. This provides a critical layer of defense-in-depth, protecting the host kernel even when running untrusted or compromised application code inside the container.

SECCOMP DEFAULTS

Frequently Asked Questions

Clear, technical answers to the most common questions about implementing a seccomp default-deny posture for containerized machine learning workloads.

A seccomp default-deny profile is a Linux kernel security configuration that blocks all system calls for a containerized process by default, explicitly allowing only a minimal, predefined set of syscalls required for the application to function. This is the strictest possible seccomp filter action, using SCMP_ACT_ERRNO or SCMP_ACT_KILL as the default rule. Unlike the standard Docker seccomp profile, which allows over 300 syscalls by default, a true default-deny profile starts from zero and whitelists only what is absolutely necessary—often fewer than 50 syscalls for a well-understood application. This approach directly reduces the kernel attack surface, making it exponentially harder for an attacker to exploit a kernel vulnerability even if they achieve code execution within the container. The profile is typically defined as a JSON file and applied via the container runtime's --security-opt seccomp=/path/to/profile.json flag or through a Kubernetes SeccompProfile in a Pod SecurityContext.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.