ld_audit vs ld_preload for sandbox

[garlicgambit]

This article mentions that LD_AUDIT is an alternative for LD_PRELOAD. Does ld_audit offer any benefits over ld_preload for sandbox?

[ignatk]

One potential benefit I could see is having more control when libsandbox.so should install seccomp filters as with LD_PRELOAD - if several libraries are defined in the list, we can't have any ordering guarantees.

Do note, that while the article describes that LD_AUDIT has the advantage of having a chance to execute code earlier than even LD_PRELOAD, this is not what we want for the sandbox case. If we want to install filters as early as possible, we should just use sandboxify command line tool. However installing filters too early may have a disadvantage of having to allow more syscalls than actually needed (as described in my post).

In fact, we want quite the opposite - install filters as late as possible after the init stage and before the application main function. Therefore I would see the benefit of installing the filters from the la_preinit() callback should we add support for the LD_AUDIT mode for the libsandbox.so library.

[garlicgambit]

Suggest to add a link to your article in the README.md.

Will do a bit more research on this.

[ignatk]

Currently libsandbox does not support LD_AUDIT, so there is nothing to add to the README

[garlicgambit]

Your own article is not linked in the README.