On Wed, May 11, 2022 at 09:11:56AM +0200, Arnd Bergmann wrote: > On Mon, May 9, 2022 at 12:00 PM Christian Brauner <brauner@xxxxxxxxxx> wrote: > ..... > > I can try and move a poc for this up the todo list. > > > > Without an approach like this certain sandboxes will fallback to > > ENOSYSing system calls they can't filter. This is a generic problem > > though with clone3() being one promiment example. > > Thank you for the detailed reply. It sounds to me like this will eventually have > to get solved anyway, so we could move ahead without clone() on loongarch, > and just not have support for Chrome until this is fully solved. > > As both the glibc and musl ports are being proposed for inclusion right > now, we should try to come to a decision so the libc ports can adjust if > necessary. Adding both mailing lists to Cc here, the discussion is archived > at [1]. > > Arnd > > [1] https://lore.kernel.org/linux-arch/20220509100058.vmrgn5fkk3ayt63v@wittgenstein/ Having read about the seccomp issue, I think it's a very strong argument that __NR_clone should be kept permanently for all future archs. Otherwise, at least AIUI, it's impossible to seccomp-sandbox multithreaded programs (since you can't allow the creation of threads without also allowing other unwanted use of clone3). It sounds like there's some interest in extending seccomp to allow filtering of argument blocks like clone3 uses, but some of what I read about was checksum-based (thus a weak hardening measure at best, not a hard privilege boundary) and even if something is eventually created that works, it won't be available right away, and it won't be nearly as easy to use as just allowing thread-creating clone syscalls on existing archs. Rich