Hi, Maxime Devos skribis: > Many of these are supported by 'least-authority-wrapper' but these POLA > wrappers require creating an additional process which seems a bit > unoptimal to me (memory- and latency-wise). Yeah, that’s why I initially looked at unshare(2), just to find out that we can’t quite do the same as with clone(2)—in particular we cannot escape the current PID namespace. (There were also complications, such as the fact that you can only unshare(2) a single-threaded process, meaning that Guile had to be started with GC_MARKERS=1. For posterity, part of the patch I had is attached below.) > Also, having to do fork, waitpid and primitive-fork seems rather low- > level to me, so I prefer moving this code into somewhere like (gnu > build SOMEWHERE) or to keep the old make-forkexec-constructor/container > code. ‘primitive-fork’ and ‘waitpid’ calls are in (gnu build linux-container) right now so I guess we’re fine? The goal though is to replace uses of ‘make-forkexec-constructor/container’ with uses of ‘least-authority-wrapper’, as done in this patch series. Ludo’.