* Jann Horn: > But if you can't tell whether the more modern syscall failed because > of a seccomp filter, you may be forced to retry with an older syscall > even on systems where the new syscall works fine, and such a fallback > may reduce security or reliability if you're trying to use some flags > that only the new syscall provides for security, or something like > that. (As a contrived example, imagine being forced to retry any > tgkill() that fails with EPERM as a tkill() just in case you're > running under a seccomp filter.) We have exactly this situation with faccessat2 and faccessat today. EPERM could mean a reject from a LSM, and we really don't want to do our broken fallback in this case because it will mask the EPERM error from the LSM (and the sole purpose of faccessat2 is to get that error). This is why I was so eager to start using faccessat2 in glibc, and we are now encountering breakage with container runtimes. Applications call faccessat (with a non-zero flags argument) today, and they now get routed to the faccessat2 entry point, without needing recompilation or anything like that. We have the same problem for any new system call, but it's different this time because it affects 64-bit hosts *and* existing applications. And as I explained earlier, I want to take this opportunity to get consensus how to solve this properly, so that we are ready for a new system call where incorrect fallback would definitely reintroduce a security issue. Whether it's that ugly probing sequence, a change to the OCI specification that gets deployed in a reasonable time frame, or something else that I haven't thought of—I do not have a very strong preference, although I lean towards the spec change myself. But I do feel that we shouldn't throw in a distro-specific patch to paper over the current faccessat2 issue and forget about it. Thanks, Florian -- Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn, Commercial register: Amtsgericht Muenchen, HRB 153243, Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael O'Neill