Hi Matthew, On 2026-03-04 17:20, Matthew Fernandez wrote: > Interesting. Thanks for investigating this! > > FWIW I don’t think either change meaningfully degrades the security of the > sandbox being constructed here, so I think it’s fine to take on either or > both changes conservatively. > 1. The sandbox already allows `open` (unfortunately), so adding `openat` > doesn’t seem to me a semantic expansion. > 2. I’m not aware of anything security-relevant you can do with `madvise`.
The fix using madvise instead of looking at file in /sys/kernel/mm has been merged in upstream glibc, and backported to the 2.43 stable branch. It's not yet there in the Debian package (i plan to work on it in the next days), but on the rumur side, that already means that we want the patch allowing madvise instead of openat. Regards Aurelien -- Aurelien Jarno GPG: 4096R/1DDD8C9B [email protected] http://aurel32.net
