On Tue, Nov 24, 2020 at 01:08:20PM +0100, Florian Weimer wrote: > This documents a way to safely use new security-related system calls > while preserving compatibility with container runtimes that require > insecure emulation (because they filter the system call by default). > Admittedly, it is somewhat hackish, but it can be implemented by > userspace today, for existing system calls such as faccessat2, > without kernel or container runtime changes.
I think this is completely insane. Tell the OCI folks to fix their completely broken specification instead.
