* Christoph Hellwig: > On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote: >> This documents a way to safely use new security-related system calls >> while preserving compatibility with container runtimes that require >> insecure emulation (because they filter the system call by default). >> Admittedly, it is somewhat hackish, but it can be implemented by >> userspace today, for existing system calls such as faccessat2, >> without kernel or container runtime changes. > > I think this is completely insane. Tell the OCI folks to fix their > completely broken specification instead. Do you categorically reject the general advice, or specific instances as well? Like this workaround for faccessat that follows the pattern I outlined: <https://sourceware.org/pipermail/libc-alpha/2020-November/119955.html> I value your feedback and want to make sure I capture it accurately. Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill
