Deferring seccomp decisions to user space
Deferring seccomp decisions to user space
Posted Jun 2, 2018 13:04 UTC (Sat) by brauner (subscriber, #109349)Parent article: Deferring seccomp decisions to user space
at Plumbers last year it has seen rapid development thanks to Tycho. No one has really done
a lot of bikeshedding on it which is great!
It seems that people didn't really notice how much use cases this will enable once this is merged.
If I were one of gvisor guys I'd take a very close look at this patchset and whether it'd be possible
to kick out ptrace.
It's excellent that we've managed to decouple this from the ebpf seccomp patchset. The last step
is to hopefully not tie this to netlink as this looks like a lot of protocol for not much gain in this
case. But we'll see.
Posted Jun 3, 2018 13:11 UTC (Sun)
by jhoblitt (subscriber, #77733)
[Link] (2 responses)
Posted Sep 14, 2018 13:32 UTC (Fri)
by mathstuf (subscriber, #69389)
[Link] (1 responses)
To not make this just a snark, I'll add a data point. I've seen git-lfs not want to fork out to Git for things like `remote get-url` and rather re-implement `insteadOf` and `pushInsteadOf` yet again. And so git-lfs is still broken with alias remote URLs that differ in push and pull. Attribute reading is also broken in the case of user "[attr]" attributes. Yes, both have issues filed (and I don't know Go (yet?) well enough to fix it myself).
I believe the *only* thing they fork for is to find out the version of Git used elsewhere. There might be one or two more instances as well, but they're of a similar level of actual functionality sharing.
Posted Sep 14, 2018 14:46 UTC (Fri)
by zlynx (guest, #2285)
[Link]
I do wish that the netlink formats were better documented.
Calling C code from Go causes all sorts of complex interactions with the green threads and garbage collection so it is not a good idea to casually link into CGo.
Deferring seccomp decisions to user space
Deferring seccomp decisions to user space
Deferring seccomp decisions to user space