Docker applies a default seccomp profile that blocks around 40 to 50 syscalls. This meaningfully reduces the attack surface. But the key limitation is that seccomp is a filter on the same kernel. The syscalls you allow still enter the host kernel’s code paths. If there is a vulnerability in the write implementation, or in the network stack, or in any allowed syscall path, seccomp does not help.
Игорь Комаров и его девушка, блогер Ева Мишалова
。heLLoword翻译官方下载对此有专业解读
这种定位通过纪录片创作得以深化。剪辑陷入瓶颈时,他的导师提供了颠覆性的建议:关掉所有画面,只聆听采访录音,两个月内不看影像。这对习惯于视觉思维的创作者而言,无异于一次“信仰的飞跃”。他照做了,两个月里,他只面对亲人们的声音。那些用粤语、英语讲述的,充满情感风暴、时常跳跃、夹杂着痛苦与怨愤的叙述,动荡时期的恐惧、逃亡路上的艰辛、家庭内部的委屈,所有这些情绪,剥离了画面的修饰,以最直接的声音形式冲击着他。
Photograph: Simon Hill