In the original post I had made small shim that redirects calls from libc getrandom to the Kernel device.

Since I had used alpine images, linking against libmusl was a reasonable choice, but that meant this hack would be limited to libmusl-based images.

I have since found a way to generalise this to work with any flavor of libc:

// getrandom_shim.c  — no libc dependency
#include <sys/syscall.h>
#include <stddef.h>

static long sys(long n, long a, long b, long c) {
    long r;
#if defined(__x86_64__)
    register long r10 asm("r10"); // unused here
    asm volatile("syscall" : "=a"(r) : "a"(n),"D"(a),"S"(b),"d"(c)
                 : "rcx","r11","memory");
#elif defined(__aarch64__)
    register long x8 asm("x8")=n, x0 asm("x0")=a, x1 asm("x1")=b, x2 asm("x2")=c;
    asm volatile("svc 0" : "+r"(x0) : "r"(x8),"r"(x1),"r"(x2) : "memory");
    r = x0;
#endif
    return r;
}

long getrandom(void *buf, size_t len, unsigned int flags) {
    (void)flags;
    long fd = sys(SYS_open, (long)"/dev/urandom", 0 /*O_RDONLY*/, 0);
    if (fd < 0) return -1;
    long n = sys(SYS_read, fd, (long)buf, (long)len);
    sys(SYS_close, fd, 0, 0);
    return n;
}

We now have to add -nostdlib to the compilation command, but musl-dev is still needed for the syscall headers:

docker run --rm -v "$PWD":/src -w /src alpine:3.19 sh -c \
  "apk add --no-cache gcc musl-dev && gcc -shared -fPIC -nostdlib -O2 -o getrandom_shim.so getrandom_shim.c"
chmod 644 getrandom_shim.so

And now we can use the getrandom_shim.so for any images, regardless of what style of libc they use.

On that note, this follow-up post answers whether this hack is still in place.