On Thu, Feb 23, 2012 at 4:15 PM, Indan Zupancic [off-list ref] wrote:

On Thu, February 23, 2012 20:26, Will Drewry wrote:

quoted

Seems like there's an argument for another return code,
SECCOMP_RET_CORE, that resets/unblocks the SIGSYS handler since the
existing TRAP and KILL options seem to cover the other paths (signal
handler and do_exit).

What about making SECCOMP_RET_TRAP dump core/send SIGSYS if there is
no tracer with PTRACE_O_SECCOMP set? And perhaps go for a blockable
SIGSYS? That way you only have KILL, ERRNO and TRAP, with the last
one meaning deny, but giving someone else a chance to do something.
Or is that just confusing?

I don't think it makes sense to mix up signal delivery for in-process
handling and ptrace. In particular, TRACE calls must assume t the
ptracer actually enacted a policy, but with TRAP as is, it always
rejects it.

I don't think there should be too many return values, or else you
put too much runtime policy into the filters.

I'd rather make it explicit than not.  This will be a quagmire if any
behavior is implicit.

Sending SIGSYS is useful, but it's quite a bit less useful if user
space can't handle it in a signal handler, so I don't think it's
worth it to make a unblockable version.

I believe the point here would be that you'd get a useful coredump
without needing to enforce that the process can't handle normal SIGSYS
or other syscalls by blocking signal masking.

cheers!
will