(resending without HTML this time, sorry for a possible duplicate) вт, 11 янв. 2022 г. в 09:13, Matthew Garrett <mjg59@xxxxxxxxxxxxx>: > The goal is to identify a solution that avoids the enterprise kernels > needing to do their own thing. They're in a position to globally > LD_PRELOAD something to thunk getrandom() to improve compatibility if > they want to, and they're also able to define the expected level of > breakage if you enable FIPS mode. An approach that allows a single > kernel to provide different policies in different contexts (eg, > different namespaces could have different device nodes providing > /dev/random) makes it easier to configure that based on customer > requirements. LD_PRELOAD is not a solution because of containers (that need to be modified to make use of the preloadable library) and statically-linked binaries. -- Alexander E. Patrakov
