* Christian Brauner: > Without an approach like this certain sandboxes will fallback to > ENOSYSing system calls they can't filter. This is a generic problem > though with clone3() being one promiment example. Furthermore, for glibc (and I believe musl as well), the trick with in-process emulation of clone3 using SIGSYS does not work here because we must inhibit delivery of signals on the nascent thread, before it is fully set up. This means that we have to block signals around the clone/clone3 system call, so that the new thread is created with all signals blocked. This means that instead of calling the SIGSYS handler, the filtered system call simply terminates the process. (I think there have been discussions of using out-of-process filtering, but I don't know where we are with that.) Thanks, Florian
