Hacker News new | ask | show | jobs
by nwmcsween 2472 days ago
Because 99.9% of software doesn't make use of direct syscalls, instead it uses wrappers or standard functions that wrap various other syscalls that can and will change over time. Meaning $app_container v0.1 can and probably will have a different seccomp filter than $app_container v0.2
1 comments
pbar 2467 days ago
This is the same case regardless of being in a container or not, $app v0.1 and $app v0.2 will have different filters
link
nwmcsween 2467 days ago
Of course will but docker, et al attach filters to containers vs attaching it to a specific binary that is much easier (although still broken).
link