On Sun, Apr 19, 2026 at 05:53:25PM +0200, Oleg Nesterov wrote: > seccomp_nack_syscall() calls syscall_rollback(), which means that the > syscall exit path sees the original syscall number as the return value. > > This confuses audit_syscall_exit(), trace_syscall_exit(), and ptrace, > causing them to report completely bogus syscall exit events. > > Add a new SYSCALL_WORK_SECCOMP_EXIT flag set by seccomp_nack_syscall(), > and change syscall_exit_work() to return early if this flag is set. After > all, this syscall was never actually executed.
I think this looks good. I'd like to cover the non-generic syscall paths, though, too? (Otherwise we immediately have a behavioral difference between e.g. x86 and arm64.) -- Kees Cook
