Automatic Seccomp Syscall Policy Generator

This thesis deals with design and implementation of the tool which transforms a system call log into a policy that limits the system call usage in operating system GNU Linux. The motivation raised as a need for automatic creation such policies. In this thesis, we dealt with the intermediate data structure that represents the system call log. We dealt with simplification of the data structure on which were used optimization algorithms. The first implemented algorithm was minimax and the other was clustering algorithm DBSCAN. In the last part of the thesis, the testing methods are described. We tested the particular modules and the whole tool as a unit. During the testing, issuesthat prevent from complex testing, arised.


Faculty of Information Technology

Date of Completion




Turoňová Lenka


Daniel Kopeček


Tamaškovič Marek