• Mike Frysinger's avatar
    seccomp: dump core when using SECCOMP_RET_KILL · b25e6716
    Mike Frysinger authored
    The SECCOMP_RET_KILL mode is documented as immediately killing the
    process as if a SIGSYS had been sent and not caught (similar to a
    SIGKILL).  However, a SIGSYS is documented as triggering a coredump
    which does not happen today.
    
    This has the advantage of being able to more easily debug a process
    that fails a seccomp filter.  Today, most apps need to recompile and
    change their filter in order to get detailed info out, or manually run
    things through strace, or enable detailed kernel auditing.  Now we get
    coredumps that fit into existing system-wide crash reporting setups.
    
    From a security pov, this shouldn't be a problem.  Unhandled signals
    can already be sent externally which trigger a coredump independent of
    the status of the seccomp filter.  The act of dumping core itself does
    not cause change in execution of the program.
    
    URL: https://crbug.com/676357Signed-off-by: default avatarMike Frysinger <vapier@chromium.org>
    Acked-by: default avatarJorge Lucangeli Obes <jorgelo@chromium.org>
    Acked-by: default avatarKees Cook <keescook@chromium.org>
    Signed-off-by: default avatarJames Morris <james.l.morris@oracle.com>
    b25e6716
seccomp.c 24 KB