On Sat, Mar 24, 2018 at 5:09 PM, Victor Kamensky <[email protected]> wrote: > On Sat, 24 Mar 2018, Burton, Ross wrote: >> On 24 March 2018 at 20:12, Victor Kamensky <[email protected]> wrote: >>> >>> Here is another crazy idea how to deal with it, just >>> brainstorming what options are on the table: disable >>> renameat2 with help of seccomp and force coreutils to >>> use other calls. Something along the lines that were >>> suggested with intercept of syscall function call, but >>> let kernel to do interception work. >> >> Wow, that's impressively magic. Does this depend on kernel options or >> specific recent versions?
Yeah, it's impressive but perhaps overkill for this situation. Having the kernel run a BPF script on every syscall is going to have a much bigger performance impact than intercepting one specific libc function in user space. Also, AFAIK, seccomp can't be nested - so building within an environment which has already been secured with seccomp (e.g. recent versions of docker?) might be a problem if pseudo starts to rely on seccomp too. -- _______________________________________________ Openembedded-core mailing list [email protected] http://lists.openembedded.org/mailman/listinfo/openembedded-core
