seitan was at DevConf.CZ 2023! Check out the slides and the recording

seitan diagram

seitan is a framework to filter, transform and impersonate system calls, enabling privilege reduction in container and virtualisation engines

It allows you to filter and replay only the system calls you need, instead of running things as root, or granting capabilities to processes.
  • seitan-cooker
    builds a BPF program and a bytecode file (gluten) from a recipe with matches on system calls and corresponding actions
  • seitan-eater
    loads the BPF program associated to the process context into the kernel, and runs the target process. Container engines such as Podman can directly load this program via OCI annotations instead
  • seitan
    is the supervisor, getting notifications via
    , interpreting them according to gluten, and triggering the configured actions as a result
Note that this project and its documentation still have some rough edges! No versions, no packages yet.

Do you want to know more?

Watch the demos below, ask your questions on the users' list, chat with us.

Do you want to contribute?

Send patches to the development list... and chat with us!

Demo: handle and impersonate connect() of a target process in several ways

Demo: issue mknod() on behalf of a Podman container