From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on dcvr.yhbt.net X-Spam-Level: X-Spam-ASN: AS17314 8.43.84.0/22 X-Spam-Status: No, score=-3.7 required=3.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,MAILING_LIST_MULTI, MSGID_FROM_MTA_HEADER,PDS_RDNS_DYNAMIC_FP,RCVD_IN_DNSWL_MED, RDNS_DYNAMIC,SPF_HELO_PASS,SPF_PASS,UNPARSEABLE_RELAY shortcircuit=no autolearn=ham autolearn_force=no version=3.4.2 Received: from sourceware.org (ip-8-43-85-97.sourceware.org [8.43.85.97]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by dcvr.yhbt.net (Postfix) with ESMTPS id 8F05B1F8C6 for ; Thu, 29 Jul 2021 11:39:04 +0000 (UTC) Received: from server2.sourceware.org (localhost [IPv6:::1]) by sourceware.org (Postfix) with ESMTP id 7FDFE3889C12 for ; Thu, 29 Jul 2021 11:39:03 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 sourceware.org 7FDFE3889C12 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sourceware.org; s=default; t=1627558743; bh=Dr8sBHckYnZcChZvJ79sOQa+Vexag7tsJBPAo89GRjg=; h=Date:To:Subject:References:In-Reply-To:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:From:Reply-To:Cc: From; b=PSDietzXCPVVPoNFrjHM7KsCNcmHW1h0NaCksxpUZxOyUV/CZBQ4Vh7MGsYApIw2Y 9jYA587QUqsP6rPlS7y46AgJQuojau4S/mBO+Qbo11TRUCm5Z9No5VKyrx9i7FLXC4 XkjXxq/PlYsBs7D3WvuMuDyLZKqC6l1vhm33I8VQ= Received: from EUR01-DB5-obe.outbound.protection.outlook.com (mail-eopbgr150080.outbound.protection.outlook.com [40.107.15.80]) by sourceware.org (Postfix) with ESMTPS id E485D3853821 for ; Thu, 29 Jul 2021 11:38:42 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.4.1 sourceware.org E485D3853821 Received: from AM6P191CA0034.EURP191.PROD.OUTLOOK.COM (2603:10a6:209:8b::47) by VI1PR08MB3727.eurprd08.prod.outlook.com (2603:10a6:803:b7::25) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4352.29; Thu, 29 Jul 2021 11:38:41 +0000 Received: from AM5EUR03FT006.eop-EUR03.prod.protection.outlook.com (2603:10a6:209:8b:cafe::da) by AM6P191CA0034.outlook.office365.com (2603:10a6:209:8b::47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.17 via Frontend Transport; Thu, 29 Jul 2021 11:38:41 +0000 X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 63.35.35.123) smtp.mailfrom=arm.com; sourceware.org; dkim=pass (signature was verified) header.d=armh.onmicrosoft.com;sourceware.org; dmarc=pass action=none header.from=arm.com; Received-SPF: Pass (protection.outlook.com: domain of arm.com designates 63.35.35.123 as permitted sender) receiver=protection.outlook.com; client-ip=63.35.35.123; helo=64aa7808-outbound-1.mta.getcheckrecipient.com; Received: from 64aa7808-outbound-1.mta.getcheckrecipient.com (63.35.35.123) by AM5EUR03FT006.mail.protection.outlook.com (10.152.16.122) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.18 via Frontend Transport; Thu, 29 Jul 2021 11:38:40 +0000 Received: ("Tessian outbound 1942ea606101:v100"); Thu, 29 Jul 2021 11:38:40 +0000 X-CheckRecipientChecked: true X-CR-MTA-CID: c92617790e6ec58e X-CR-MTA-TID: 64aa7808 Received: from f1442b3bc6e0.1 by 64aa7808-outbound-1.mta.getcheckrecipient.com id 9BF2EE82-33EF-4ACB-ACA7-AC2DE07DFE52.1; Thu, 29 Jul 2021 11:38:33 +0000 Received: from EUR05-DB8-obe.outbound.protection.outlook.com by 64aa7808-outbound-1.mta.getcheckrecipient.com with ESMTPS id f1442b3bc6e0.1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384); Thu, 29 Jul 2021 11:38:33 +0000 ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=B/3vWy+adSFhkNAnrYeCnV/8nAGkieo1RcjcmYLl4VtYv0KkDMGybbPtUMlYG7qcIgOL++Cmu3lQwC1e9TRA5Ax4kaSNUtt7Xxcrb3iehgCMYfa4NUn0TKA2vJQUJho5ad6uqAUFkCNYWWRfjGamH7BfFQG8f1nqM+BUWvlF/kNSy/kZ/dvsYoj+HSdFzjVthzyBOGOrRUxCfwbCbkLknINRq+2y2Tt3G/EZjV6293idXsIvPaS59KHrJ5X68fYQfKDdwaVK6ejidNyEs//6/PNfwex4qCj/rX6DXCSxX+YD5qScDrmVAWvDPL0+lwTrtnETjWi8Bs/Jc7AWM8WydQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Dr8sBHckYnZcChZvJ79sOQa+Vexag7tsJBPAo89GRjg=; b=AorxvyKHcJ32wxGKVgADI3OVsUnSlv43X9m6n8QnPR5zlA0yPylPlgofLyxW92Tr1ttNMNYf5JSCpHg9+UutijMo+ejRBQE1VrYhyylRXl1bVB5latMRsj6ZMRy65yHQJZSJwlceEhlWN0UDNcZTjUXWCdV/e8n7ns7RI67e1Jk5KFMx8Eds9j5e+SyhF+GxMNp68vlsfWhnWiq73SlRfwi6fUpuBxNDh7EPmODDfxSHgE8OqODE2UzgvRNUYVWnSavSM6slyZiFVpXsj+0Y6DoDLGOZn5sRis/Vrfs890kMlRtyphvxAm14JPqRFUuRlbpf41NjxU/UiTeQHoRv6Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=arm.com; dmarc=pass action=none header.from=arm.com; dkim=pass header.d=arm.com; arc=none Authentication-Results-Original: cyphar.com; dkim=none (message not signed) header.d=none;cyphar.com; dmarc=none action=none header.from=arm.com; Received: from PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) by PAXPR08MB6942.eurprd08.prod.outlook.com (2603:10a6:102:135::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.17; Thu, 29 Jul 2021 11:38:32 +0000 Received: from PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::ac83:9f8b:1a5:2c33]) by PA4PR08MB6320.eurprd08.prod.outlook.com ([fe80::ac83:9f8b:1a5:2c33%5]) with mapi id 15.20.4373.022; Thu, 29 Jul 2021 11:38:32 +0000 Date: Thu, 29 Jul 2021 12:38:30 +0100 To: Aleksa Sarai Subject: Re: RFC: Disable clone3 for glibc 2.34 Message-ID: <20210729113829.GD14854@arm.com> References: <87eebkf8ph.fsf@oldenburg.str.redhat.com> <87y29sdsui.fsf@oldenburg.str.redhat.com> <20210727092416.layfgqi6auudbpgc@wittgenstein> <20210727094117.jid7shl7futsciih@wittgenstein> <20210727102222.r2hys526mfkpt4xo@senku> <20210727104816.GC14854@arm.com> <20210729085608.6n6hxithibfsdslj@senku> Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20210729085608.6n6hxithibfsdslj@senku> User-Agent: Mutt/1.9.4 (2018-02-28) X-ClientProxiedBy: LO4P123CA0331.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18c::12) To PA4PR08MB6320.eurprd08.prod.outlook.com (2603:10a6:102:e5::9) MIME-Version: 1.0 X-MS-Exchange-MessageSentRepresentingType: 1 Received: from arm.com (217.140.106.55) by LO4P123CA0331.GBRP123.PROD.OUTLOOK.COM (2603:10a6:600:18c::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4373.17 via Frontend Transport; Thu, 29 Jul 2021 11:38:32 +0000 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 69583c3f-60a6-4715-5c7f-08d9528569b5 X-MS-TrafficTypeDiagnostic: PAXPR08MB6942:|VI1PR08MB3727: X-Microsoft-Antispam-PRVS: x-checkrecipientrouted: true NoDisclaimer: true X-MS-Oob-TLC-OOBClassifiers: OLM:9508;OLM:9508; X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam-Untrusted: BCL:0; X-Microsoft-Antispam-Message-Info-Original: N/Ism1M9PXaTXoXN3C9GBI+/ilb2A7GAXWlbyqj66KdD2KsR3/BxXsnsUAaYfyAm5AMv5zYhvkQSO9jY/YTmYUvF+DKy2GKTEiqGJw9NjDQM52VNuS/szr1rxR0gmfgjS8GvkntQCx9a6IUgyqTZa+GYdDw6rUYBqYJG7z4+UqcCGDG6RBE8KbcM6gh4JlrF4aodWBu45Js1bHPZv+yUTE2DizW/pNXVgHwEXMoRkunzUayS9TvM2reaHwp7EGTKsyqDCMAiLoEgfSJM26Vl98NQPbsFdwWZjbJXmayZewjxtysVVqPikFjUEOfgE+U7Z/a9oDA8b0jcX+6xciMckZIjryND248XzPKiD4/GxEybv7VoHgZEjDtd0ZDwUVNsk5F9np0hN5nN8Nceozj+A4MDZZB4eJxJLicoCubxTDWwv/IR7UpbqcZJOVZRDR+PH7htvYDVAOGmBTVz/ahiCJlAX/CiL4/p2RSwVvdIb1pnPYqXv4jcZ0WC7UGG27gQiD4VsOhQfebkI56CXorPmHCg4pcrpQvT+Qz0lm1rZFwNRTHv5qKeRdjTIfXIe4DVn0y8ouU7kIIEYfV3JUnYf1JrSj3bOb8rIgAXfUvqtCTkQg/QZSAqMNv3/Sxy8BgsSATzgSw8KIfX+FLbZhnTDb6iG3lgy/nK1ha/qsMTUojl/JvWjcGVZOynVPds41i9p/qxpoUGTB0FaOBxS1DMOg== X-Forefront-Antispam-Report-Untrusted: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:PA4PR08MB6320.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(4636009)(366004)(2906002)(52116002)(8936002)(5660300002)(38100700002)(508600001)(55016002)(8676002)(83380400001)(38350700002)(7696005)(86362001)(33656002)(66946007)(316002)(1076003)(36756003)(44832011)(66556008)(186003)(66476007)(956004)(4326008)(6916009)(2616005)(8886007)(26005)(54906003); DIR:OUT; SFP:1101; X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?B?MU83WEtyRjFxbE5hR2UrZGNrYUFsbEJna21EUWhxeFM4VmZ5b00wOUVqd1p5?= =?utf-8?B?Sm82eDNmZUJPTFJHYlM3ekJLSmxsZ2Z5aGhBbEViTDNBcTlHanZCTmV3YjNh?= =?utf-8?B?NkNPNXBHKzNtWVBxdE1UTWc3T1l0cmZkM0lJYTNubldpK3VGWEc4QUlKVU9B?= =?utf-8?B?cGF5Z2xLRklUOWFKWUdTVTVJa2pwWncwUFB0L2ROZDAxdW1Kek9oUEhuYlNV?= =?utf-8?B?ZEY5TTIvcUVMSzhPZVNIaGlOZEJLV0ZXQklEd1ZsNk1tRFliUDNWWFJxaFF5?= =?utf-8?B?Q2FMZVdVcHNBTllhUzRnYUljaGwrZ25mTnZaOW1kR3E2R1ZtWGpFbTl1SmJ2?= =?utf-8?B?a1k0UjdUNXVadjM0S1U2OVdYcytlbWFvQ2tZQWFScFdiSGdtTWwxOUtEcGox?= =?utf-8?B?cnVlUENvTUNlYkFhWE9uL3V1RjF3Q0dRazM2aUlOSVgvQ1NBdEtoZ0txbHdi?= =?utf-8?B?TjgxSXd6VjhEQllNVS85SnZNa3NINHRyUzdJV29lbVA1MlpjYkhteHNic3lp?= =?utf-8?B?cXAvamhPWmlZZlFwbmNXSXV1RDhzWVRMTWs4NGNwYXhnMFZCWEtyMjI3L3ZS?= =?utf-8?B?Zi9JdjQ3TSsySlR3Mnl3NFFIZUFXVlloVU1reVFqTXYyOEo4UHoxTG1iRmNJ?= =?utf-8?B?ZlRlQXFVSm9vcjJ2N05nMHU4bFV6SU1WeHRiOWtpbWl6MEpuV0oxUWVxbVV6?= =?utf-8?B?S2N0bEpMNU56VXFnSEtucVh1WHI4VEZxcXlpSEkybVB6MkpzWFgySCtHYlBv?= =?utf-8?B?WU9hS2h5Y2Z4cDVndlRzRGZoVGZQbXpJekNtREJ2TlRHVzMvYmhCTUpCVTQy?= =?utf-8?B?TlkxV204QzlJaWFQdEVLSkRyQUp2NVcwR3kyQ2lmaS9MM21lRTI0Y3F2Q1Zq?= =?utf-8?B?WGJTSjF5TnM1TFlKMTliVmI1aEJ4MHd1bnpRcVpkWk4rWndHSUs1RU9EbDNm?= =?utf-8?B?SmFjbm5QM09GK01vOGhjK0hOb0hzazlsb0pQMXRoSkVIRS9FdFpyU1NQeFBR?= =?utf-8?B?Ym5WZXcyRittQzRwN1ZnUnlXUi9Na3I1MHA5d0c1QzlHNXhuNFYvblN2NXc4?= =?utf-8?B?d3VwTkpReldFVDh1Q1c1YmFzdzJ1YmhBV3ZyRnowb3JFMEd4RDR5aDA4U1dK?= =?utf-8?B?THJRMnZ1NVI0MG80VWNsTkZSQndyU29TRzJXSXdJUERsYjQ3VElkZWFkUklq?= =?utf-8?B?OU15SW1GdEFwZUZ3TWdhZmZ4ekRqbE9TeEJNSFdWQmVrT2QrMi9aMmtUN0I5?= =?utf-8?B?ck5vU2lpM3lVR1BrMWdHYlJITCtOaUJSZHdKVzZpR0Z0ZUdRMm9wem5zTTVn?= =?utf-8?B?eDVUbFBuVmlZMTFtcE5IZVRveVE2UnBWd1ZOS1BKQ3h6c24vK2tUZ0RKcThI?= =?utf-8?B?aml1aGdmODVjSGdWaGIzQjBocUVGalRUL0MyS2ppWGdBTDlnQWhwN1Nwb1BQ?= =?utf-8?B?cCtLVHRaNDVwRC8vNS9OanNmejRlUDNRL3hmd1cxT1Noc2laaDc4cURGazh0?= =?utf-8?B?aXBGN3BaV0FnWGhvdkwwSEk3ZDlVRHBWNWVjTm4xUXFtdVFUNTFGSmplWlVB?= =?utf-8?B?b1RIWTFNc1dBcnBaT2p6Q1l2cEpIc3hwVzlFeVRrb2tJclo1U00zNEFxaTN5?= =?utf-8?B?bHVjeVZkOGFYZlE2UVNnWVVnMmkzcTN4NU5OclYwZ0haYUliQWgyczVFMnl6?= =?utf-8?B?c0p6QXk0cmROa044Tkd5VUJGVFNxWW1UL0lMQmlqRXVjeEFma0VNMXpYRGdP?= =?utf-8?Q?lcB/k4NU6eZRT75Vssmw05A9X9UNBGW+urfSgIU?= X-MS-Exchange-Transport-CrossTenantHeadersStamped: PAXPR08MB6942 Original-Authentication-Results: cyphar.com; dkim=none (message not signed) header.d=none;cyphar.com; dmarc=none action=none header.from=arm.com; X-EOPAttributedMessage: 0 X-MS-Exchange-Transport-CrossTenantHeadersStripped: AM5EUR03FT006.eop-EUR03.prod.protection.outlook.com X-MS-Office365-Filtering-Correlation-Id-Prvs: 35bbd9ca-d956-4f93-c631-08d9528564ca X-Microsoft-Antispam: BCL:0; X-Microsoft-Antispam-Message-Info: KAEsiYF7QR67RP4tefBA/UHZnj59uTQRq6D9oBjKiYgkUNt2GuFBxMgoD/LnlsYgdvN05uLSeiaq3Xut2CIWziXyLe7Sof7gll32wKFV6/QKD3k+uDdvx0XpIo9B8b0BMvBpgbCb5RYLMfx+8tNtn2dMVdXxfxLTvYozspdfi/0LoHR97pDFsq64cSJ656YvLBeTaPCppqONqbcKRyesCPfq5WwYFT9IuixG2DjwXQgMzJmZGKNHC8ER94RTGubWj1Y7eHMV3wT7U0FF0szpUDTP8ALCqNZexmMHIHcT3LfvuKd2UKMYiw7Hmivg4adDZ15u+VSeGnSGEKCNzxBl5rcd92lngw/TXE36+WP0tal8DqP6q+4m180LTndpo6+ekrVTwD/9Cp1qvE4zQ6Bwr98w1dhZBptzk2qH0YClIbMx+eAK9rXThu2PwVQnAutx+UVqkajcai6APIxTSAIbEk51AW9kV32KDAB6tM5bw777ZhAeQ4r83sY1tGbhI/6oADKmYZEXhJeTkI2o+PbmeCMj44S8w+vkaXRHCx+m7jQv6GJPXPpD8mq0+MA7BeRjmmkBy7ty8/eBVbdrJxoZx8WmAzosCCykFU2v8vlm9H4ZtD91cHwJhPRR1yfnt3aoOb1gR38XUYaIfYnqv+AiOtcRiHjuiL15QGe0vyCcnEsDrHwDO0XMoRFh4CigbNcEWdngI6m37TjkXx81qUCYgw== X-Forefront-Antispam-Report: CIP:63.35.35.123; CTRY:IE; LANG:en; SCL:1; SRV:; IPV:CAL; SFV:NSPM; H:64aa7808-outbound-1.mta.getcheckrecipient.com; PTR:ec2-63-35-35-123.eu-west-1.compute.amazonaws.com; CAT:NONE; SFS:(4636009)(136003)(376002)(39860400002)(346002)(396003)(36840700001)(46966006)(36756003)(6862004)(8886007)(36860700001)(47076005)(81166007)(82740400003)(4326008)(86362001)(82310400003)(55016002)(1076003)(5660300002)(356005)(44832011)(2616005)(956004)(70586007)(70206006)(83380400001)(2906002)(316002)(478600001)(186003)(8676002)(8936002)(7696005)(33656002)(26005)(54906003)(336012); DIR:OUT; SFP:1101; X-OriginatorOrg: arm.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 29 Jul 2021 11:38:40.6677 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: 69583c3f-60a6-4715-5c7f-08d9528569b5 X-MS-Exchange-CrossTenant-Id: f34e5979-57d9-4aaa-ad4d-b122a662184d X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp: TenantId=f34e5979-57d9-4aaa-ad4d-b122a662184d; Ip=[63.35.35.123]; Helo=[64aa7808-outbound-1.mta.getcheckrecipient.com] X-MS-Exchange-CrossTenant-AuthSource: AM5EUR03FT006.eop-EUR03.prod.protection.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Anonymous X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR08MB3727 X-BeenThere: libc-alpha@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Libc-alpha mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , From: Szabolcs Nagy via Libc-alpha Reply-To: Szabolcs Nagy Cc: Florian Weimer , Christian Brauner , Florian Weimer via Libc-alpha Errors-To: libc-alpha-bounces+e=80x24.org@sourceware.org Sender: "Libc-alpha" The 07/29/2021 18:56, Aleksa Sarai wrote: > On 2021-07-27, Szabolcs Nagy wrote: > > The 07/27/2021 20:22, Aleksa Sarai wrote: > > > Yes, runc has had the -ENOSYS fallback behaviour for a few releases now. > > > > > > The way it works is that any syscall which has a larger syscall number > > > than any syscall specified in the filter will get -ENOSYS (this works > > > even if libseccomp is outdated). The only way you could get the -EPERM > > > behaviour with modern runc is if you write a seccomp profile that had > > > rules for newer syscalls (openat2 for instance) but not clone3 -- but > > > Docker doesn't do that. (The reason for this slightly convoluted > > > behaviour was to make sure that intentional omissions actually give you > > > -EPERM.) > > > > this sounds broken. it really should return ENOSYS unless > > a user specifically asked for a different errno value for > > a syscall. EPERM is just wrong. > > Yes, if I was designing it from scratch, that's what I would've done. > > But there are already existing filters that are written assuming the > default errno is EPERM. Returning ENOSYS from clone(2) or unshare(2) for > existing profiles is not a workable solution. > > Should we fix all existing profiles and then change the behaviour again? > Sure, but given we solved this problem in a period of time when people > were screaming about glibc being broken in containers, I hope you'll > excuse the fact that we didn't really have time to co-ordinate updating > every downstream runc user. i think this can be fixed backward compatibly by returning EPERM for old syscalls. > > we will see random breakage in the future depending on > > what unrelated but newer syscalls users added to their > > whitelist. who thought this was a good idea? > > If you update your syscall profile without knowing what you're doing, > things will break. That will always be the case. > > The plan is/was to eventually implement this by explicitly stating a > minimum kernel version (so that all syscalls missing in the profile that > were available in that kernel version get ENOSYS) but libseccomp doesn't > provide that information at the moment, and given that such a filter > would be more complicated than the one we have at the moment, that > behaviour probably belongs in libseccomp (there are several issues open > in the libseccomp repo describing this issue and possible solutions). i dont think you need to do anything complicated with a fixed cut off, e.g. return nr < 403 ? EPERM : ENOSYS or you can give an explicit list of syscalls that should return EPERM for bw compat reasons and the rest is ENOSYS. (and there should be an easy way to opt-out of the bw compat behaviour and always do ENOSYS)