From: Oleg Nesterov <oleg@redhat.com>
To: Max Ver <dudududumaxver@gmail.com>
Cc: Kees Cook <kees@kernel.org>,
bpf@vger.kernel.org, linux-kernel@vger.kernel.org,
Andy Lutomirski <luto@amacapital.net>,
Will Drewry <wad@chromium.org>
Subject: Re: Process killed by seccomp looks live by tracer
Date: Thu, 5 Mar 2026 18:45:53 +0100 [thread overview]
Message-ID: <aanBUeT2kQKpDWxZ@redhat.com> (raw)
In-Reply-To: <aamX8uw8UN23rkc_@redhat.com>
That said...
__seccomp_filter() does
case SECCOMP_RET_KILL_PROCESS:
...
/* Show the original registers in the dump. */
syscall_rollback(current, current_pt_regs());
/* Trigger a coredump with SIGSYS */
force_sig_seccomp(this_syscall, data, true);
This means that after syscall_rollback() regs->ax == orig_ax, so
ptrace_get_syscall_info_exit() will always report .is_error == 0.
And since force_sig_seccomp() uses force_coredump == true, SIGSYS
won't be reported (see the SA_IMMUTABLE check in get_signal()).
Again, it is not that I think this wrong. But perhaps Kees and Andy
can take a look and confirm that this is what we actually want.
Oleg.
On 03/05, Oleg Nesterov wrote:
>
> Hi Max,
>
> On 03/05, Max Ver wrote:
> >
> > >This is expected; PTRACE_GET_SYSCALL_INFO is at syscall entry before seccomp filtering has run.
> >
> > It also happens at the syscall exit. Take a look at the result, it
> > shows 'exit ok' twice.
>
> Why do you think this is wrong? (and I don't think this has something to
> do with seccomp, btw).
>
> > If we can agree on this is a bug, I suggest the kernel give a hint
> > about tracee exit in waitpid return value, what do you think?
>
> But the kernel already gives you a hint, no?
>
> Perhaps I missed your point, but see the change of your test-case below.
>
> Oleg.
>
>
> --- /tmp/PT.c~ 2026-03-05 15:18:18.397319905 +0100
> +++ /tmp/PT.c 2026-03-05 15:40:11.044415647 +0100
> @@ -15,6 +15,8 @@
> #include <sys/wait.h>
> #include <threads.h>
> #include <unistd.h>
> +#include <assert.h>
> +#include <errno.h>
>
> void
> child ()
> @@ -57,6 +59,14 @@
> puts ("child exit");
> exit (1);
> }
> +
> + if (WIFSIGNALED(status)) {
> + printf("signalled pid=%d sig=%d\n", pid, WTERMSIG(status));
> + assert(kill(pid, 0) == -1 && errno == ESRCH);
> + exit(0);
> + }
> +
> +
> if (ptrace (PTRACE_GET_SYSCALL_INFO, pid,
> sizeof (struct ptrace_syscall_info), &info)
> == -1)
next prev parent reply other threads:[~2026-03-05 17:46 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-04 10:51 Process killed by seccomp looks live by tracer Max Ver
2026-03-04 18:05 ` Kees Cook
2026-03-05 2:00 ` Max Ver
2026-03-05 14:49 ` Oleg Nesterov
2026-03-05 17:45 ` Oleg Nesterov [this message]
2026-03-06 2:55 ` Max Ver
2026-03-08 13:08 ` Oleg Nesterov
2026-03-22 13:40 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aanBUeT2kQKpDWxZ@redhat.com \
--to=oleg@redhat.com \
--cc=bpf@vger.kernel.org \
--cc=dudududumaxver@gmail.com \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.