KubeRosy: A Dynamic System Call Filtering Framework for Containers

With the rapid adoption of cloud environments, container technology has become crucial for the efficient operation of large-scale applications. Although container technology offers high efficiency and scalability through low-level isolation via shared host operating systems, it also introduces security vulnerabilities, such as container escape and privilege escalation attacks through system call exploitation. Seccomp-BPF, one of the most widely used system call filtering mechanisms, supports container environments but cannot update system call policies while containers are running. To address these limitations, we propose KubeRosy, a system call filtering framework that allows dynamic modification of system call policies without downtime, even during container runtime. KubeRosy leverages eBPF and LSM hooks to support fine-grained system call policies while ensuring compatibility with existing Seccomp-BPF environments. This approach enables the application of customized, granular system call policies tailored to container environments, thereby reducing the attack surface. Our evaluation shows that KubeRosy incurs an additional overhead of only 722 ns compared to traditional Seccomp-BPF, which is negligible. Furthermore, KubeRosy allows for dynamic policy modification without container downtime and provides precise argument-based filtering, demonstrating its practicality and efficiency.