Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-31 Thread Kees Cook
On Tue, Jan 31, 2017 at 1:59 PM, Andy Lutomirski wrote: > On Fri, Jan 27, 2017 at 1:48 PM, Kees Cook wrote: >> On Wed, Jan 25, 2017 at 12:05 PM, Kees Cook wrote: >>> On Tue, Jan 24, 2017 at 4:53 PM, Andrei Vagin wrote: Hi, One of CRIU tests fails with this patch: https://git

Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-31 Thread Andy Lutomirski
On Fri, Jan 27, 2017 at 1:48 PM, Kees Cook wrote: > On Wed, Jan 25, 2017 at 12:05 PM, Kees Cook wrote: >> On Tue, Jan 24, 2017 at 4:53 PM, Andrei Vagin wrote: >>> Hi, >>> >>> One of CRIU tests fails with this patch: >>> https://github.com/xemul/criu/blob/master/test/zdtm/static/seccomp_filter_ts

Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-31 Thread Andrei Vagin
On Fri, Jan 27, 2017 at 01:48:30PM -0800, Kees Cook wrote: > On Wed, Jan 25, 2017 at 12:05 PM, Kees Cook wrote: > > On Tue, Jan 24, 2017 at 4:53 PM, Andrei Vagin wrote: > >> Hi, > >> > >> One of CRIU tests fails with this patch: > >> https://github.com/xemul/criu/blob/master/test/zdtm/static/secc

Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-28 Thread Paul Moore
On Fri, Jan 27, 2017 at 4:48 PM, Kees Cook wrote: > For logging, I think audit needs to grow fork-tracking, and/or have a > new "is under seccomp" test that can be exposed to auditctl. Then the > system owner can issue either "tell me about all seccomp kills" or > "tell me about seccomp kills in t

Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-27 Thread Kees Cook
On Wed, Jan 25, 2017 at 12:05 PM, Kees Cook wrote: > On Tue, Jan 24, 2017 at 4:53 PM, Andrei Vagin wrote: >> Hi, >> >> One of CRIU tests fails with this patch: >> https://github.com/xemul/criu/blob/master/test/zdtm/static/seccomp_filter_tsync.c >> >> Before this patch only a thread which called a

Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-25 Thread Kees Cook
On Tue, Jan 24, 2017 at 4:53 PM, Andrei Vagin wrote: > Hi, > > One of CRIU tests fails with this patch: > https://github.com/xemul/criu/blob/master/test/zdtm/static/seccomp_filter_tsync.c > > Before this patch only a thread which called a "wrong" syscall is killed. > Now a whole process is killed

Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-24 Thread Mike Frysinger
thank for the testcase. i'll take a look. when i went through the code visually, i didn't think it was killing, just suspending+resuming for the sake of snapshotting, but i must have misread. -mike On Tue, Jan 24, 2017 at 2:53 PM, Andrei Vagin wrote: > Hi, > > One of CRIU tests fails with this

Re: seccomp: dump core when using SECCOMP_RET_KILL

2017-01-24 Thread Andrei Vagin
Hi, One of CRIU tests fails with this patch: https://github.com/xemul/criu/blob/master/test/zdtm/static/seccomp_filter_tsync.c Before this patch only a thread which called a "wrong" syscall is killed. Now a whole process is killed if one of threads called a "wrong" syscall. Before this patch onl