note about getrandom with syscall whitelists

2019-06-01 04:06:43 -04:00 · 2019-06-01 04:06:43 -04:00 · 64a1f59020
commit 64a1f59020
parent b40ba9754b
1 changed files with 6 additions and 0 deletions
--- a/README.md
+++ b/README.md
@ -666,6 +666,12 @@ System calls used by all build configurations:
 * `munmap`
 * `write(STDERR_FILENO, buf, len)` (before aborting due to memory corruption)

+The main distinction from a typical malloc implementation is the use of
+getrandom. A common compatibility issue is that existing system call whitelists
+often omit getrandom partly due to older code using the legacy `/dev/urandom`
+interface along with the overall lack of security features in mainstream libc
+implementations.
+
 Additional system calls when `CONFIG_SEAL_METADATA=true` is set:

 * `pkey_alloc`