On 3/6/23 13:38, Richard W.M. Jones wrote: > On Sun, Mar 05, 2023 at 12:18:18AM +0100, Kevin Kofler via devel wrote: >> David Michael wrote: >>> - Firecracker can be built with Fedora's libc (glibc), but it is >>> officially unsupported upstream[3]. Functionality would be harmed by >>> not using musl, e.g. seccomp filters are not used. >> >> Upstream's refusal to write seccomp filters that work with glibc should be a >> red flag. It is definitely possible to sandbox glibc applications with >> seccomp, e.g., Chromium does it. It does need updates/fixes to the seccomp >> rules with almost every new version of glibc, but it is possible. > > And since we're talking hypervisors, qemu also manages to use glibc & > implement a seccomp filter. Is it an allowlist or a blocklist? Allowlists are much more secure, but require knowing about *everything* that a program will ever execute. Static linking makes this much easier to ensure. IIUC the main problem with musl is the lack of NSS support, which means that name lookups won’t work. One option would be to split Firecracker into two processes: a launcher that does all name lookups, and a sandboxed process that does everything else. -- Sincerely, Demi Marie Obenour (she/her/hers) _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
