Re: Process killed by seccomp looks live by tracer

Next message: patchwork-bot+netdevbpf: "Re: [PATCH V2] net: nfc: nci: Fix zero-length proprietary notifications"
Previous message: Daniel Borkmann: "Re: [PATCH net 1/3] bpf: bpf_out_neigh_v4: Fix nd_tbl NULL dereference when IPv6 is disabled"
In reply to: Kees Cook: "Re: Process killed by seccomp looks live by tracer"
Next in thread: Oleg Nesterov: "Re: Process killed by seccomp looks live by tracer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Max Ver

Date: Wed Mar 04 2026 - 21:00:36 EST

>This is expected; PTRACE_GET_SYSCALL_INFO is at syscall entry before seccomp filtering has run.

It also happens at the syscall exit. Take a look at the result, it
shows 'exit ok' twice.
If we can agree on this is a bug, I suggest the kernel give a hint
about tracee exit in waitpid return value, what do you think?

Kees Cook <kees@xxxxxxxxxx> 于2026年3月5日周四 02:05写道：
>
>
>
> On March 4, 2026 2:51:38 AM PST, Max Ver <dudududumaxver@xxxxxxxxx> wrote:
> >I was using ptrace to trace a tracee status, using
> >`PTRACE_GET_SYSCALL_INFO` and `PTRACE_SYSCALL`
> >to get its syscall arguments and results. When a tracee killed by its
> >seccomp, the tracer can't know immediately,
> >instead, the `PTRACE_GET_SYSCALL_INFO` tell tracer that tracee exit
> >with no error. The syscall wasn't actually
> >executed, it was captured by seccomp, even the tracee was killed by seccomp.
> >
> >Here is a poc explaining what I said.
> >I was expecting to aware the death of tracee at the fourth
> >`PTRACE_GET_SYSCALL_INFO`,
> >at least `PTRACE_GET_SYSCALL_INFO` should tell that the syscall
> >failed, or get some different message from waitpid.
> >But the result are below. Tracer can only get the death of tracee at
> >the fifth loop.
>
> This is expected; PTRACE_GET_SYSCALL_INFO is at syscall entry before seccomp filtering has run.
>
> --
> Kees Cook