* Andy Lutomirski: > I would personally *love* it if distros started setting no_new_privs > for basically all processes. Wouldn't no_new_privs inhibit all security transitions, including those that reduce privileges? And therefore effectively reduce security? > Anyway, clone(2) is an enormous mess. Surely the right solution here > is to have a whole new process creation API that takes a big, > extensible struct as an argument, and supports *at least* the full > abilities of posix_spawn() and ideally covers all the use cases for > fork() + do stuff + exec(). It would be nifty if this API also had a > way to say "add no_new_privs and therefore enable extra functionality > that doesn't work without no_new_privs". This functionality would > include things like returning a future extra-privileged pidfd that > gives ptrace-like access. I agree that consistent replacement for the clone system call makes sense. I'm not sure if covering everything that posix_spawn could do would make sense. There seems to be some demand to be able to do large parts of container setup using posix_spawn, so we'll probably add support for things like writing to arbitrary files eventually. And of course, proper error reporting, so that you can figure out which file creation action failed. Thanks, Florian