On Fri, Dec 01, 2017 at 12:35:06AM +0000, Colin Watson wrote: > (Hmm, though maybe a reasonable stopgap would be to copy the relevant > syscall lists from systemd's code. That would leave me updating things > manually from time to time, which isn't great, but it would probably > still be better than maintaining my own list! I think I'll do this.)
That was indeed a worthwhile exercise. I'm now down to five sets taken verbatim from systemd, which are long but I can just update them wholesale from time to time; three sets from systemd from which I've extracted subsets, e.g. a read-only subset of file system operations; and nine additional syscalls, some of which I still need to review and possibly either restrict by arguments or drop. Those are much more tolerable numbers than a monolithic block of over a hundred syscalls. The exercise caused me to notice several syscalls I'd missed, and some that I'd included inappropriately. It's still a lot of lines of code, but should be much easier to maintain, and would probably also make it easier to switch to a syscall-set-confining library if such a thing exists in the future. (Side note: this strategy works partly because man-db is under a licence that the relevant file in systemd can be converted to using LGPL2.1 section 3. If that weren't the case then it would at the very least be much less obvious that this is a permissible thing to do.) -- Colin Watson [cjwat...@debian.org]
