On 04/21, Kees Cook wrote: > > On Sun, Apr 19, 2026 at 05:53:25PM +0200, Oleg Nesterov wrote: > > seccomp_nack_syscall() calls syscall_rollback(), which means that the > > syscall exit path sees the original syscall number as the return value. > > > > This confuses audit_syscall_exit(), trace_syscall_exit(), and ptrace, > > causing them to report completely bogus syscall exit events. > > > > Add a new SYSCALL_WORK_SECCOMP_EXIT flag set by seccomp_nack_syscall(), > > and change syscall_exit_work() to return early if this flag is set. After > > all, this syscall was never actually executed. > > I think this looks good.
Great, > I'd like to cover the non-generic syscall > paths, though, too? OK, I'll try to make the "extended" V2 soon. > (Otherwise we immediately have a behavioral > difference between e.g. x86 and arm64.) Yes, yes, agreed, I even mentioned this in 0/2. Thanks! Oleg.
