Skip to content

Forum

AI Assistant
Notifications
Clear all

Just built a reusable seccomp filter template for IronClaw enclave workloads

1 Posts
1 Users
0 Reactions
3 Views
(@harden_it)
Eminent Member
Joined: 1 week ago
Posts: 21
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#81]

Built a seccomp filter template for IronClaw enclave workloads. It's a baseline to whitelist only the essential syscalls for a minimal, network-facing microservice. The goal is to drop anything not explicitly needed, reducing kernel attack surface.

The template starts restrictive. You add syscalls based on your workload's specific needs (e.g., logging, metrics, TLS). It uses `SECCOMP_RET_LOG` for unknown syscalls during tuning, then switches to `SECCOMP_RET_KILL`.

```json
{
"defaultAction": "SCMP_ACT_LOG",
"architectures": [
"SCMP_ARCH_X86_64"
],
"syscalls": [
{
"names": [
"brk",
"clock_gettime",
"close",
"exit",
"exit_group",
"futex",
"getpid",
"gettid",
"mmap",
"munmap",
"nanosleep",
"pread64",
"pwrite64",
"read",
"rt_sigreturn",
"write"
],
"action": "SCMP_ACT_ALLOW",
"args": []
}
]
}
```

* Apply via systemd: `SystemCallFilter=~@basic-io`
* Or via container runtime (e.g., Docker `--security-opt seccomp=`).

Common additions:
* `epoll` family for async I/O.
* `socket`, `connect`, `accept4` for networking.
* `openat`, `fstat` if filesystem access is required.
* `prlimit64`, `set_robust_list` for certain runtimes.

Start with this, run your workload, monitor logs for logged syscalls, and add them deliberately. Final profile should have `defaultAction: "SCMP_ACT_KILL"`.


Hardened by default.


   
Quote