Comment by masklinn
2 years ago
A langage runtime would dispatch to the libc, which is always whitelisted.
This is only an issue for the weirdo langage runtimes who’d also refuse to use libc.
2 years ago
A langage runtime would dispatch to the libc, which is always whitelisted.
This is only an issue for the weirdo langage runtimes who’d also refuse to use libc.
cough go cough
Although it is periodically useful to be able to copy a binary to some random Linux server and know it will work.
Even for go it should actually work as-is: the syscalls should exist statically in the binary, so the loader can enumerate and whitelist them.
What gets blocked is the system constructing the entire thing at runtime, or at least setting the syscall number dynamically.
Isn’t that how all syscalls work? The syscall number typically goes in a register.
1 reply →