Re: Process killed by seccomp looks live by tracer

[Max Ver]

Thanks for the `WIFSIGNALED` check, it does work at the fifth loop.

>Why do you think this is wrong? (and I don't think this has something to
do with seccomp, btw).

I suppose it's more reasonable for kernel to give a hint just after
the syscall killed by seccomp at the fourth loop. So that we can know
the syscall is rollbacked, or else we can only assume the syscall may
succeed.

Oleg Nesterov <oleg@xxxxxxxxxx> 于2026年3月6日周五 01:46写道：
>
> That said...
>
> __seccomp_filter() does
>
>         case SECCOMP_RET_KILL_PROCESS:
>         ...
>                 /* Show the original registers in the dump. */
>                 syscall_rollback(current, current_pt_regs());
>
>                 /* Trigger a coredump with SIGSYS */
>                 force_sig_seccomp(this_syscall, data, true);
>
> This means that after syscall_rollback() regs->ax == orig_ax, so
> ptrace_get_syscall_info_exit() will always report .is_error == 0.
>
> And since force_sig_seccomp() uses force_coredump == true, SIGSYS
> won't be reported (see the SA_IMMUTABLE check in get_signal()).
>
> Again, it is not that I think this wrong. But perhaps Kees and Andy
> can take a look and confirm that this is what we actually want.
>
> Oleg.
>
> On 03/05, Oleg Nesterov wrote:
> >
> > Hi Max,
> >
> > On 03/05, Max Ver wrote:
> > >
> > > >This is expected; PTRACE_GET_SYSCALL_INFO is at syscall entry before seccomp filtering has run.
> > >
> > > It also happens at the syscall exit. Take a look at the result, it
> > > shows 'exit ok' twice.
> >
> > Why do you think this is wrong? (and I don't think this has something to
> > do with seccomp, btw).
> >
> > > If we can agree on this is a bug, I suggest the kernel give a hint
> > > about tracee exit in waitpid return value, what do you think?
> >
> > But the kernel already gives you a hint, no?
> >
> > Perhaps I missed your point, but see the change of your test-case below.
> >
> > Oleg.
> >
> >
> > --- /tmp/PT.c~        2026-03-05 15:18:18.397319905 +0100
> > +++ /tmp/PT.c 2026-03-05 15:40:11.044415647 +0100
> > @@ -15,6 +15,8 @@
> >  #include <sys/wait.h>
> >  #include <threads.h>
> >  #include <unistd.h>
> > +#include <assert.h>
> > +#include <errno.h>
> >
> >  void
> >  child ()
> > @@ -57,6 +59,14 @@
> >        puts ("child exit");
> >        exit (1);
> >      }
> > +
> > +     if (WIFSIGNALED(status)) {
> > +             printf("signalled pid=%d sig=%d\n", pid, WTERMSIG(status));
> > +             assert(kill(pid, 0) == -1 && errno == ESRCH);
> > +             exit(0);
> > +     }
> > +
> > +
> >    if (ptrace (PTRACE_GET_SYSCALL_INFO, pid,
> >                sizeof (struct ptrace_syscall_info), &info)
> >        == -1)
>