The patch is basically replacing the getdents64 syscall by the getdents
one. This means that applying this patch would make debian differ with regards to other distributions in the syscalls that are used for the
same binaries. In turns it is likely going to affect binaries that are
using seccomp and only allow the getdents64 and not the getdents one.
Thorsten Glaser wrote, quoting Aurelien Jarno in https://bugs.debian.org/916276
The patch is basically replacing the getdents64 syscall by the getdents
one. This means that applying this patch would make debian differ with
regards to other distributions in the syscalls that are used for the
same binaries. In turns it is likely going to affect binaries that are
using seccomp and only allow the getdents64 and not the getdents one.
So upgrading glibc (changing a getdents syscall to a getdents64 syscall)
is fine but doing the reverse would "affect binaries that are using
seccomp"?
Sounds like security theater to me. Do the affected binaries and
syscall filters actually exist?
Because specifying seccomp filters for containers is so trivial, there
are going to be all kind of containers which seccomp rules allow only syscalls they're using _right now_.
Sysop: | Keyop |
---|---|
Location: | Huddersfield, West Yorkshire, UK |
Users: | 296 |
Nodes: | 16 (2 / 14) |
Uptime: | 39:33:35 |
Calls: | 6,648 |
Files: | 12,193 |
Messages: | 5,329,319 |