On Mon, Jul 25, 2022 at 02:33:05PM -0400, Cristian Rodríguez via Libc-alpha wrote: > On Mon, Jul 25, 2022 at 1:44 PM Rich Felker <dalias@xxxxxxxx> wrote: > > > Then don't fallback to /dev/urandom. > > Those are my thoughts as well.. but __libc_fatal() if there is no > usable getrandom syscall with the needed semantics, in short making > this interface usable only when the kernel is. > > This is quite drastic, but probably the only sane way to go. You can at least try the sysctl and possibly also /dev approaches and only treat this as fatal as a last resort. If you can inspect entropy_avail or poll /dev/random to determine that the pool is initialized this is very safe, I think. And some research on distro practices might uncover whether this should be believed to be complete. (Note: I know some folks have raised seccomp sandboxing as an issue too, but unlike kernel which is sometimes locked in by legacy hardware, bad seccomp filters are in principle always fixable and are a form of user/admin error since it's not valid to make assumptions about what syscalls libc needs.) Rich