Kees Cook keescook@chromium.org writes:
On Wed, Nov 17, 2021 at 05:20:33PM -0800, Kyle Huey wrote:
Yeah that's one way to solve the problem. I think you're right that fundamentally the problem here is that what SECCOMP_RET_KILL wants is not really a signal. To the extent that it wants a signal, what it really wants is SIGKILL, and the problem here is the code trying to act like SIGKILL but call it SIGSYS. I assume the ship for fixing that sailed years ago though.
Yeah, this was IIRC, a specific design choice (to distinguish a seccomp KILL from a SIGKILL), as desired by the sandboxing folks, and instead of using two different signals (one for KILL and one for TRAP), both used SIGSYS, with the KILL variant being uncatchable.
I see a general consensus on how to fix the regression. Linus patch plus some tweaks. I will get to work on that today.
For v5.15 I think all that needs to get fixed is what Linus fixed and the force_sigsegv case. That is my priority.
For v5.16-rc1+ the instances that became force_fatal_signal need a careful review to figure out which semantics we want.
Having a clear distinction between which forced signals we can let the debugger intercept and which ones we can not seems to be what needs to be added.
Kyle thank you for your explanation of what breaks. For future kernels I do need to do some work in this area and I will copy on the patches going forward. In particular I strongly suspect that changing the sigaction and blocked state of the signal for these synchronous signals is the wrong thing to do, especially if the process is not killed. I want to find another solution that does not break things but that also does not change the program state behind the programs back so things work differently under the debugger.
Eric