Deferring seccomp decisions to user space

Posted Jun 3, 2018 13:11 UTC (Sun) by jhoblitt (subscriber, #77733)
In reply to: Deferring seccomp decisions to user space by brauner
Parent article: Deferring seccomp decisions to user space

The "gain" of using netlink is a standard client lib, such as libnl, could be used instead of every service having a custom interface with semantics that evolve differently than other kernel interfaces over time. Imagine what the state of interoperability would be if most "ReSTful" web APIs used a custom serialization format instead of JSON?

Deferring seccomp decisions to user space

Posted Sep 14, 2018 13:32 UTC (Fri) by mathstuf (subscriber, #69389) [Link] (1 responses)

Well, that'd work if Go projects weren't so intent on not using *any* non-Go code in their stacks…</snark>

To not make this just a snark, I'll add a data point. I've seen git-lfs not want to fork out to Git for things like `remote get-url` and rather re-implement `insteadOf` and `pushInsteadOf` yet again. And so git-lfs is still broken with alias remote URLs that differ in push and pull. Attribute reading is also broken in the case of user "[attr]" attributes. Yes, both have issues filed (and I don't know Go (yet?) well enough to fix it myself).

I believe the *only* thing they fork for is to find out the version of Git used elsewhere. There might be one or two more instances as well, but they're of a similar level of actual functionality sharing.

Deferring seccomp decisions to user space

Posted Sep 14, 2018 14:46 UTC (Fri) by zlynx (guest, #2285) [Link]

I implemented a Go netlink reader for connection tracking. It wasn't hard for the most part (I do wish someone had explicitly written a few comments about data alignment instead of making it implicitly hidden in macros if I remember correctly).

I do wish that the netlink formats were better documented.

Calling C code from Go causes all sorts of complex interactions with the green threads and garbage collection so it is not a good idea to casually link into CGo.