Re: [RFC PATCH] ptrace: don't report syscall-exit if the tracee was killed by seccomp

[Oleg Nesterov]

On 03/22, Oleg Nesterov wrote:
>
> On 03/22, Kees Cook wrote:
> >
> > Hmm. I'm still not convinced this is right,
>
> Me too actually ;)
>
> That is why RFC. So:
>
> 	- Do you agree that the current behaviour is not really "sane" and
> 	  can confuse ptracers?
>
> 	- If yes, what else do you think we can do? No, I no longer think it
> 	  makes sense to change the ptrace_get_syscall_info_exit() paths...

Perhaps _something_ like the change below makes more sense?

Oleg.

--- x/kernel/seccomp.c
+++ x/kernel/seccomp.c
@@ -1357,8 +1357,8 @@ static int __seccomp_filter(int this_sys
 		/* Dump core only if this is the last remaining thread. */
 		if (action != SECCOMP_RET_KILL_THREAD ||
 		    (atomic_read(&current->signal->live) == 1)) {
-			/* Show the original registers in the dump. */
-			syscall_rollback(current, current_pt_regs());
+			syscall_set_return_value(current, current_pt_regs(),
+						 -EINTR, 0);
 			/* Trigger a coredump with SIGSYS */
 			force_sig_seccomp(this_syscall, data, true);
 		} else {
--- a/kernel/signal.c
+++ b/kernel/signal.c
@@ -2916,6 +2916,11 @@ bool get_signal(struct ksignal *ksig)
 		if (!signr)
 			break; /* will return 0 */
 
+
+		// incomplete and ugly, just for illustration
+		if (ksig->info.si_code == SYS_SECCOMP)
+			syscall_rollback(current, current_pt_regs());
+
 		if (unlikely(current->ptrace) && (signr != SIGKILL) &&
 		    !(sighand->action[signr -1].sa.sa_flags & SA_IMMUTABLE)) {
 			signr = ptrace_signal(signr, &ksig->info, type);