Feel free to commit this.

Wow, thank you, @gnn, for looking at this. I appreciate that!

@lwhsu Is those settings ok with our tests machines?

Could you also add test for this case?

Oh. Right.
I didn't noticed that after realloc the memory is not cleaned.
Yes, I also would go with @delphij suggestion.

If I understand correctly, the envVars with the putenv can't be reused.
So the putenv actually is set to 0 (as we are doing calloc'ing the memory needed for envVars), and we are 0 memory when we needed.
So besides the unhappy MK_UBSAN, there are no functional changes, as well as there is no security implication.
If I'm wrong at some of these statements, please correct me.

Address @markj review.
Cover the wait issue.
Add test cases.

We have fdopendir in libc I wonder if this won't be confusing. Maybe we should rename this to something like rtld_opendir.
But whatever name your choose this LGTM.

Fixes are on haed.

Hello Oliver,

Hello Oliver,

Address @jhb comments (I hope).

Hym its works for me.

Can you provide some more context?

@secteam ping?

Yes. This looks go to me.

Address @scf and @emaste suggestions.

In general it's a great work.
Minor requests.

@scf secteam Can I proceed with this?

Address @jhb suggestions.

Ping?

LGTM.
Do you have commit bit or should I commit this?

LGTM.
I prefer this approach then forbidding whole socket syscall.

After addressing @zlei.huang_gmail.com points - LGTM.

Some minor notes.
Thank you for working on this.

Thank you @kib for explanation, I will analyze this further.

Address scf@ suggestions.

Ping?

Ups sorry I just wanted to comment it without accepting it.

Shouldn't we return here a ECAPMODE ?
In capability mode there isn't any way where dot dot is valid right?

@0mp Thanks I addressed that.

Update diff.

Thank you @kib for hints!