Implement post-exec filter loading #1
Description
Like firejail does, avoids the need to include a number of Go runtime calls (futex, rt_sigmask, nanosleep, epoll_wait) and execve into all filters.
Possible implementation:
- Compile a separate "loader" DSO
- Use memfd_create and write BPF code into FD.
- Set LD_PRELOAD to inject "loader" DSO.
- Exec target binary, passing filter FD to it (specify the FD number via env. var).
- Have "loader" DSO load filter and unset FD number env. var on load.
This obviously will not work with statically linked executables, but most executables are dynamically linked with at least libc so it can be ignored.