Linux systems usually get their random numbers from /dev/\[u\]random. This interface, however, is vulnerable to file descriptor exhaustion attacks, where the attacker consumes all available file descriptors, and is inconvenient for containers. The getrandom(2) syscall, analogous to OpenBSD's getentropy(2), solves that problems.
This is the big one for me. No more directly opening /dev/urandom on Linux and it works in chroot. When will Linux distros begin shipping this kernel?
You're not going to be able to adequately rely on this feature by itself for years, probably. I'd guess a 5-6 year window before it's widespread.
Considering there isn't even a LTS kernel/system out with it coming anytime soon, I'd suggest you keep your fallback code to check `/dev/urandom`, even if FD exhaustion/chroots are a problem.
I had thought Ubuntu 14.04 backports will be running this kernel soon...
However, this isn't really for you. This is for your library; this is what arc4random() is meant to use. (Of course, the name is legacy, you should be using ChaCha20 in that.)
Ubuntu is the least of my worries; Ubuntu backports is an even smaller blip on the radar. What about all the software running on CentOS and RHEL 6.x systems? Those aren't going away soon.
And yes, I understand the implications of what this exact system call is meant to do; explanation much appreciated nonetheless (clearly it could have mislead some people).
My only point is this system call is a step forward, and mitigates some known problematic attacks or edge cases - but nonetheless, we'll need adequate fallbacks for unsupported systems for many, many years to come in our libraries.
Thinking of it this way, I'm somewhat amazed Linux has gone this far /without/ this feature. If I had to hazard a guess, I'd say it was either A) never suggested, which I find unlikely, or B) your typical NIH/"this is nonsense and not needed" response you sometimes see to sane things in the Linux world (despite them implementing a thousand new things every two months, that only 5 people in the world could ever use, and inevitably will result in a handful of CVEs - their priorities are Serious Business, after all.) But maybe I'm just a cynic at this point.
This is the big one for me. No more directly opening /dev/urandom on Linux and it works in chroot. When will Linux distros begin shipping this kernel?