From: Oleg Nesterov <oleg@redhat.com>
To: Kees Cook <kees@kernel.org>
Cc: Andy Lutomirski <luto@kernel.org>,
Peter Zijlstra <peterz@infradead.org>,
Thomas Gleixner <tglx@kernel.org>, Will Drewry <wad@chromium.org>,
Kusaram Devineni <kusaram@devineni.in>,
Max Ver <dudududumaxver@gmail.com>,
linux-kernel@vger.kernel.org
Subject: Re: [RFC PATCH 2/2] seccomp: defer syscall_rollback() to get_signal()
Date: Tue, 14 Apr 2026 19:41:39 +0200 [thread overview]
Message-ID: <ad58U8BRYMiW5rCk@redhat.com> (raw)
In-Reply-To: <202604141026.4BEA64A4@keescook>
On 04/14, Kees Cook wrote:
>
> On Tue, Apr 14, 2026 at 06:48:20PM +0200, Oleg Nesterov wrote:
> > Currently, seccomp_nack_syscall() calls syscall_rollback() immediately.
> > Because this restores the original registers, the syscall exit path sees
> > the original syscall number as the return value.
> >
> > This confuses audit_syscall_exit(), trace_syscall_exit(), and ptrace.
> >
> > Change seccomp_nack_syscall() to call syscall_set_return_value(-EINTR),
> > and add the new check_force_sig_seccomp() helper called by get_signal()
> > which does syscall_rollback() if the signal was sent by seccomp.
> >
> > Note that the si_code == SYS_SECCOMP check in check_force_sig_seccomp()
> > is not 100% reliable, see the comment in check_force_sig_seccomp(), but
> > I hope we don't really care.
> >
> > Reported-by: Max Ver <dudududumaxver@gmail.com>
> > Closes: https://lore.kernel.org/all/CABjJbFJO+p3jA1r0gjUZrCepQb1Fab3kqxYhc_PSfoqo21ypeQ@mail.gmail.com/
> > Signed-off-by: Oleg Nesterov <oleg@redhat.com>
>
> Can we also add a new selftest for this case?
Yes sure. but do you agree with this RFC approach?
See also 0/2. Perhaps SYSCALL_WORK_SYSCALL_XXX makes more sense?
I do think it makes more sense and it is closer to my initial
"[RFC PATCH] ptrace: don't report syscall-exit if the tracee was killed by seccomp"
attempt/
But I'm afraid this change would be "too visible".
> I'd like to be sure we
> don't regress when we make changes in the future...
Yes, I understand.
And just in case... I ran tools/testing/selftests/seccomp/seccomp_bpf, it
doesn't show any regression.
Oleg.
next prev parent reply other threads:[~2026-04-14 17:41 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-14 16:47 [RFC PATCH 0/2] seccomp: defer syscall_rollback() to get_signal() Oleg Nesterov
2026-04-14 16:48 ` [RFC PATCH 1/2] seccomp: introduce seccomp_nack_syscall() helper Oleg Nesterov
2026-04-14 16:48 ` [RFC PATCH 2/2] seccomp: defer syscall_rollback() to get_signal() Oleg Nesterov
2026-04-14 17:27 ` Kees Cook
2026-04-14 17:41 ` Oleg Nesterov [this message]
2026-04-15 15:50 ` Kees Cook
2026-04-15 16:08 ` Oleg Nesterov
2026-04-15 10:44 ` [RFC PATCH 0/2] " Oleg Nesterov
2026-04-15 16:07 ` Kees Cook
2026-04-15 19:21 ` Kees Cook
2026-04-16 14:07 ` Oleg Nesterov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ad58U8BRYMiW5rCk@redhat.com \
--to=oleg@redhat.com \
--cc=dudududumaxver@gmail.com \
--cc=kees@kernel.org \
--cc=kusaram@devineni.in \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=tglx@kernel.org \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.