Re: [PATCH 0/3] signal: HANDLER_EXIT should clear SIGNAL_UNKILLABLE

[Kees Cook <keescook@chromium.org>]

On Fri, Feb 11, 2022 at 11:46:53AM -0600, Eric W. Biederman wrote:
> Robert Święcki <robert@swiecki.net> writes:
> > When I noticed this problem, I was looking for a way to figure out
> > what syscall caused SIGSYS (via SECCOMP_RET_KILL_*), and there's no
> > easy way to do that programmatically from the perspective of a parent
> > process. There are three ways of doing this that come to mind.
> 
> Unless I am misunderstanding what you are looking for
> this information is contained within the SIGSYS siginfo.
> The field si_syscall contains the system call number and
> the field si_errno contains return code from the seccomp filter.
> 
> All of that can be read from the core dump of the process that exited.
> 
> Looking quickly I don't see a good way to pull that signal information
> out of the kernel other than with a coredump.
> 
> It might be possible to persuade PTRACE_EVENT_EXIT to give it to you,
> but I haven't looked at it enough to see if that would be a sensible
> strategy.

If there is already a ptrace on the child with PTRACE_O_TRACEEXIT, it
should be possible to use PTRACE_GETSIGINFO.

> > I think it'd be good to have some way of doing it from the perspective
> > of a parent process - it'd simplify development of sandboxing managers
> > (eg nsjail, minijail, firejail), and creation of good seccomp
> > policies.
> 
> By development do you mean debugging sandbox managers?  Or do you mean
> something that sandbox managers can use on a routine basis?

It'd really be nice to be able to get this info without the ptrace
relationship already in place... hmmm.

-- 
Kees Cook