Morten Linderud writes:
On Tue, Nov 08, 2022 at 01:41:46PM +0000, Chris Down wrote:
Glad to see this one is doing the rounds again, one day we're going to have a bug in curl and this will help a lot.
If you want any review from kernel side, please feel free to let me know.
One thing that immediately strikes me is that it would be better to list the allowed syscalls rather than the denied ones. We're adding new syscalls all the time, after all, and that would make the list somewhat kernel version agnostic. It can always be turned off with a command line option in pacman, after all.
I think you are looking at the wrong version. The first iteration has the syscall filtering, but this was dropped in v2 of the series :)
I'm looking at the version linked by Allan :-) Is that not the version being worked on?