https://ethanzyf.com/tags/runc/Recent content in Runc on Ethan-ZYFHugoen-usWed, 20 May 2026 00:00:00 -0700https://ethanzyf.com/blog/week2-day3-seccomp/Wed, 20 May 2026 00:00:00 -0700https://ethanzyf.com/blog/week2-day3-seccomp/<p>Where Week 1 and Week 2 meet: K8s seccomp is the <em>same</em> kernel seccomp from Week 1, except runc installs the BPF filter for you instead of your application. This post traces the full kubelet → containerd → runc chain (and what runc actually does — namespaces, cgroups, NNP, caps, seccomp, AppArmor, then exec), the three profile types (Unconfined / RuntimeDefault / Localhost), why the profile JSON is just the declarative form of the cBPF you&rsquo;d hand-write, why <code>SCMP_ACT_ERRNO</code> lets the process survive while <code>mkdir</code> returns EPERM, and the crucial limitation: seccomp blocks <em>syscalls</em>, not <em>intent</em> — block <code>mkdir</code> and <code>touch</code> (which uses <code>openat</code>) still creates files. Plus <code>/proc/&lt;pid&gt;/status</code> as the ground-truth proof a filter is loaded.</p>