Explore the seccomp (secure computing) facility for limiting the kernel attack surface in this comprehensive conference talk. Learn how to select permitted system calls and restrict their arguments using BPF programs. Discover applications of seccomp in sandboxing, failure-mode testing, web browsers, and container systems. Delve into the basics of the BPF virtual machine, examine filtering program examples, and explore productivity aids for writing seccomp filters. Gain insights into the history, functionality, and implementation of seccomp, including BPF instructions, system call data handling, and filter program structures. Consider important caveats and limitations when using seccomp for system call filtering. Presented by Michael Kerrisk, renowned author of "The Linux Programming Interface" and maintainer of the Linux man-pages project, this talk provides valuable knowledge for developers and system administrators working with Linux and UNIX systems.