Note that I also added a SystemCallFilter and SystemCallArchitectures instructions to blacklist some system calls in that last commit. While this is good from a security PoV, this might have a noticeable performance impact on syscall-heavy loads. Some studies reported a 25% performance hit on one of the worst-case scenario (program looping on getppid(), one of the cheapest syscall). I'm wondering if we are not already paying this cost with existing instructions like RestrictAddressFamilies, though.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.