On Tue, Nov 08, 2022 at 01:41:46PM +0000, Chris Down wrote: > Glad to see this one is doing the rounds again, one day we're going to have > a bug in curl and this will help a lot. > > If you want any review from kernel side, please feel free to let me know. > > One thing that immediately strikes me is that it would be better to list the > allowed syscalls rather than the denied ones. We're adding new syscalls all > the time, after all, and that would make the list somewhat kernel version > agnostic. It can always be turned off with a command line option in pacman, > after all.
I think you are looking at the wrong version. The first iteration has the syscall filtering, but this was dropped in v2 of the series :) I think the goal was to split it up a little and do the syscall filtering later. -- Morten Linderud PGP: 9C02FF419FECBE16
signature.asc
Description: PGP signature
