Mickaël Salaün

Sorry for the delay, I missed the GitHub notification. Thanks for working on this, I'm happy to help! However, I'm not familiar with runtime-spec, my suggestions may not be accurate....

> I suggest using a simplified version of a file/dir access rules like RW, RO. In this case, we could use RODirs()...RwFiles() RW and RO are misleading because there is...

This is equivalent to https://github.com/containers/common/pull/1081 and https://github.com/moby/moby/pull/43199

I don't think that the FUTEX_LOCK_PI trick can be used to force a caller to use it and delegate its priority to the callee. Moreover, this seems to only be...

> * It probably uses a few more CPU cycles than regular tests, but it might be worth it. We can optimize the Qemu command yes, I'll create a repo...

> > What would be great is a way to build the kernels from source but cache the result. Do you know a "standard" way to do that with GitHub?...

> > Actually it is trivial to enable it on UML but it is incompatible with hostfs (for which I have a patch almost ready to be send). I think...

I need to create a repository with the required kernel files to test Landlock, but in the meantime here is a [minimal UML configuration for Landlock](https://gist.github.com/l0kod/595bb615617360b618c561140a60bad9). You can build a...

A slightly more generic approach would be to ignore a type of error: `golandlock.RODirs(".Xauthority", ".gtkrc").IgnoreError(MissingObject)`.

> Remark, could have been used here: > > https://github.com/oxzi/gosh/blob/main/internal/hardening_linux.go#L32 Could you explain a bit more? It seems that this line changed.