We don't do fork()/clone() ourselves, opening the door for many pitfalls, e. g. we inherit open file descriptories which may enable bypassing of the policies we set. Otoh, some open fd's may actually be desired.
We must either offer a safe fork()/clone() or check that the current process is in a reasonable state and/or transform to that state.
We don't do fork()/clone() ourselves, opening the door for many pitfalls, e. g. we inherit open file descriptories which may enable bypassing of the policies we set. Otoh, some open fd's may actually be desired.
We must either offer a safe fork()/clone() or check that the current process is in a reasonable state and/or transform to that state.
We don't do fork()/clone() ourselves, opening the door for many pitfalls, e. g. we inherit open file descriptories which may enable bypassing of the policies we set. Otoh, some open fd's may actually be desired.
We must either offer a safe fork()/clone() or check that the current process is in a reasonable state and/or transform to that state.