| ▲ | gwerbin 8 hours ago | |
It says on their Github profile that they are building some kind of nowhere detection product. Maybe in that context, a very strict syscall allowlist is useful or good? > It is designed for CI pipelines, CTF jail challenges, and lightweight code evaluation Looking at the list, it seems pretty good for that. What does a CI runner that just needs to run GCC or whatever really need? Edit: no open does seem restrictive. Not that it's bad security (not my area of expertise), but how many useful programs use open that are just off limits here? | ||