From nobody Fri Apr 3 22:31:12 2026 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id B12A61F151C for ; Sun, 22 Mar 2026 13:45:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.133.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774187106; cv=none; b=T1A5G5zhT9ocduBBhlyZsk67LjOSmQDVdfke00vlf/ofovAhYJ4WNKdo4BkSNA9P28wnEknmQhNUpq5RfT4QFgBJdlyXTkPDeHQ9cXNuo8Xm+q3dUonJbReWCbLIXwUSUycDH4MKNbrcp6Oc2w+1TdqmdfnLfdrhpM5F3GUBmFw= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774187106; c=relaxed/simple; bh=zFgzt7SAJctoKruOUuR4tn+Eh8PkIHi7c3EwZny7B8w=; h=Date:From:To:Cc:Subject:Message-ID:MIME-Version:Content-Type: Content-Disposition; b=k3LfdtnKxemf3FD1AcycoUfytN/PR169dlqv2SXgIV0mh1p1MWZWFSlNmuMxCxMVbkoakAMnPW4fn6B+V0vikmAAc59kRBR0ndtMrqVnLhPVeQ1AlR9cbJpdjp9Q9eYhczggrxs9GtxK8xyyv9e939DEAFi2yBhwNl1iBc4ouvM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=eojkiZk4; arc=none smtp.client-ip=170.10.133.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="eojkiZk4" DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1774187103; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type; bh=xaa7xaiSY9Sd3lPaXq0U15xmZ4NlWlvqedJMZYj+nuU=; b=eojkiZk4HwxUT30D8kXiVoNUwnD6m7gy4ShlLDOqBrhcOSNsInQiRMmdwO/zKEoO77AufP PmT5GvxmjaC7dEBP2UAZRttAErRXg6HfccRhwyVuIKa612ACTEELf2qoLNLgE3aoP1GoXe bBii8vE6W2hqAMlEsHHhKC8Xb/KAzeY= Received: from mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-82-zpAzedV-NPGl74rpjT9J3g-1; Sun, 22 Mar 2026 09:45:01 -0400 X-MC-Unique: zpAzedV-NPGl74rpjT9J3g-1 X-Mimecast-MFC-AGG-ID: zpAzedV-NPGl74rpjT9J3g_1774187100 Received: from mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.93]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-03.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id D5EE819560B4; Sun, 22 Mar 2026 13:44:59 +0000 (UTC) Received: from fedora (unknown [10.44.32.25]) by mx-prod-int-06.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with SMTP id E2AF3180075B; Sun, 22 Mar 2026 13:44:55 +0000 (UTC) Received: by fedora (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Sun, 22 Mar 2026 14:44:59 +0100 (CET) Date: Sun, 22 Mar 2026 14:44:54 +0100 From: Oleg Nesterov To: Andrew Morton , Andy Lutomirski , Kees Cook , Peter Zijlstra , Thomas Gleixner , Will Drewry Cc: Max Ver , linux-kernel@vger.kernel.org Subject: [RFC PATCH] ptrace: don't report syscall-exit if the tracee was killed by seccomp Message-ID: Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Disposition: inline X-Scanned-By: MIMEDefang 3.4.1 on 10.30.177.93 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" __seccomp_filter() does case SECCOMP_RET_KILL_THREAD: case SECCOMP_RET_KILL_PROCESS: ... /* Show the original registers in the dump. */ syscall_rollback(current, current_pt_regs()); /* Trigger a coredump with SIGSYS */ force_sig_seccomp(this_syscall, data, true); syscall_rollback() does regs->ax =3D=3D orig_ax. This means that ptrace_get_syscall_info_exit() will see .is_error =3D=3D 0. To the tracer, it looks as if the aborted syscall actually succeeded and returned its own syscall number. And since force_sig_seccomp() uses force_coredump =3D=3D true, SIGSYS won't be reported (see the SA_IMMUTABLE check in get_signal()), so the tracee will "silently" exit with error_code =3D=3D SIGSYS after the bogus report. Change syscall_exit_work() to avoid the bogus single-step/syscall-exit reports if the tracee is SECCOMP_MODE_DEAD. TODO: With or without this change, get_signal() -> ptrace_signal() may report other !SA_IMMUTABLE pending signals before it dequeues SIGSYS. Perhaps it makes sense to change get_signal() to check SECCOMP_MODE_DEAD too and prioritize the fatal SIGSYS. Reported-by: Max Ver Closes: https://lore.kernel.org/all/CABjJbFJO+p3jA1r0gjUZrCepQb1Fab3kqxYhc_= PSfoqo21ypeQ@mail.gmail.com/ Signed-off-by: Oleg Nesterov --- include/linux/entry-common.h | 3 +++ include/linux/seccomp.h | 8 ++++++++ kernel/seccomp.c | 3 --- 3 files changed, 11 insertions(+), 3 deletions(-) diff --git a/include/linux/entry-common.h b/include/linux/entry-common.h index f83ca0abf2cd..5c62bda9dcf9 100644 --- a/include/linux/entry-common.h +++ b/include/linux/entry-common.h @@ -250,6 +250,9 @@ static __always_inline void syscall_exit_work(struct pt= _regs *regs, unsigned lon if (work & SYSCALL_WORK_SYSCALL_TRACEPOINT) trace_syscall_exit(regs, syscall_get_return_value(current, regs)); =20 + if (killed_by_seccomp(current)) + return; + step =3D report_single_step(work); if (step || work & SYSCALL_WORK_SYSCALL_TRACE) arch_ptrace_report_syscall_exit(regs, step); diff --git a/include/linux/seccomp.h b/include/linux/seccomp.h index 9b959972bf4a..e95a251955c1 100644 --- a/include/linux/seccomp.h +++ b/include/linux/seccomp.h @@ -22,6 +22,12 @@ #include #include =20 +/* Not exposed in uapi headers: internal use only. */ +#define SECCOMP_MODE_DEAD (SECCOMP_MODE_FILTER + 1) + +#define killed_by_seccomp(task) \ + ((task)->seccomp.mode =3D=3D SECCOMP_MODE_DEAD) + extern int __secure_computing(void); =20 #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER @@ -49,6 +55,8 @@ static inline int seccomp_mode(struct seccomp *s) =20 struct seccomp_data; =20 +#define killed_by_seccomp(task) 0 + #ifdef CONFIG_HAVE_ARCH_SECCOMP_FILTER static inline int secure_computing(void) { return 0; } #else diff --git a/kernel/seccomp.c b/kernel/seccomp.c index 066909393c38..461eb15c66c3 100644 --- a/kernel/seccomp.c +++ b/kernel/seccomp.c @@ -31,9 +31,6 @@ =20 #include =20 -/* Not exposed in headers: strictly internal use only. */ -#define SECCOMP_MODE_DEAD (SECCOMP_MODE_FILTER + 1) - #ifdef CONFIG_SECCOMP_FILTER #include #include --=20 2.52.0