SECCOMP ("SECure COMPuting with filters") is a Linux kernel syscall filtering mechanism which allows reduction of the kernel attack surface by preventing (or at least audit logging) normally unused syscalls. Recent security best-practices recommend, and certain highly security-conscious organizations are beginning to require, that SECCOMP be used to the extent possible. The major web browsers, container runtime engines, and systemd are all examples of software that already support SECCOMP.
This talk covers SECCOMP applied to PostgreSQL via 2 different methods -- namely top-down using systemd, and at the session level using a PostgreSQL extension called pgseccomp. The two methods will be explained and compared. We will also discuss how and why the two methods might be used in conjunction. Finally, a process to determine the list of expected/legitimate PostgreSQL kernel syscalls is described.
Speakers: Joe Conway