From: Thomas Gleixner <tglx@kernel.org>
To: Jinjie Ruan <ruanjinjie@huawei.com>,
peterz@infradead.org, luto@kernel.org, kees@kernel.org,
wad@chromium.org, linux-kernel@vger.kernel.org
Cc: ruanjinjie@huawei.com
Subject: Re: [PATCH RESEND] entry: Fix seccomp bypass after ptrace with TSYNC
Date: Sun, 12 Jul 2026 12:08:53 +0200 [thread overview]
Message-ID: <874ii4r03u.ffs@fw13> (raw)
In-Reply-To: <20260709073030.3844316-1-ruanjinjie@huawei.com>
On Thu, Jul 09 2026 at 15:30, Jinjie Ruan wrote:
> Sashiko review pointed out the following issue[1].
>
> If a thread is stopped in syscall_trace_enter() for ptrace, another
> thread can install a seccomp filter with SECCOMP_FILTER_FLAG_TSYNC
> (e.g., via seccomp_attach_filter()). This will successfully set
> SYSCALL_WORK_SECCOMP on the stopped thread, but syscall_trace_enter()
> evaluates a cached 'work' variable sampled on entry. Consequently,
> the subsequent check for SYSCALL_WORK_SECCOMP misses the newly
> assigned flag, and the filter is silently bypassed.
>
> This race condition could allow an unprivileged process to execute
> a prohibited system call (e.g., execve) that the newly installed filter
> was intended to block, especially since the tracer might have modified
> the system call number during the ptrace stop.
>
> Fix this by replacing the cached seccomp check with a call to
> seccomp_permit_syscall(), which re-reads the thread's up-to-date
> TIF_SECCOMP flag and thus correctly observes the flag if it was set
> during the ptrace stop.
No, we are not doing this unconditionally.
Thanks,
tglx
---
--- a/include/linux/entry-common.h
+++ b/include/linux/entry-common.h
@@ -98,6 +98,8 @@ static __always_inline long syscall_trac
ret = arch_ptrace_report_syscall_entry(regs);
if (ret || (work & SYSCALL_WORK_SYSCALL_EMU))
return -1L;
+ /* ptrace might have changed work flags */
+ work = READ_ONCE(current_thread_info()->syscall_work);
}
/* Do seccomp after ptrace, to catch any tracer changes. */
next prev parent reply other threads:[~2026-07-12 10:08 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-07-09 7:30 [PATCH RESEND] entry: Fix seccomp bypass after ptrace with TSYNC Jinjie Ruan
2026-07-12 10:08 ` Thomas Gleixner [this message]
2026-07-13 2:40 ` Jinjie Ruan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874ii4r03u.ffs@fw13 \
--to=tglx@kernel.org \
--cc=kees@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@kernel.org \
--cc=peterz@infradead.org \
--cc=ruanjinjie@huawei.com \
--cc=wad@chromium.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox