From 64a1f590201a4cbe5dba8a119fc4570b7db0bc5b Mon Sep 17 00:00:00 2001
From: Daniel Micay <danielmicay@gmail.com>
Date: Sat, 1 Jun 2019 04:06:43 -0400
Subject: [PATCH] note about getrandom with syscall whitelists

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index c74a6bf..bf8de30 100644
--- a/README.md
+++ b/README.md
@@ -666,6 +666,12 @@ System calls used by all build configurations:
 * `munmap`
 * `write(STDERR_FILENO, buf, len)` (before aborting due to memory corruption)
 
+The main distinction from a typical malloc implementation is the use of
+getrandom. A common compatibility issue is that existing system call whitelists
+often omit getrandom partly due to older code using the legacy `/dev/urandom`
+interface along with the overall lack of security features in mainstream libc
+implementations.
+
 Additional system calls when `CONFIG_SEAL_METADATA=true` is set:
 
 * `pkey_alloc`