Re: [REGRESSION] 5.16rc1: SA_IMMUTABLE breaks debuggers

On Wed, Nov 17, 2021 at 05:20:33PM -0800, Kyle Huey wrote:

Yeah that's one way to solve the problem. I think you're right that fundamentally the problem here is that what SECCOMP_RET_KILL wants is not really a signal. To the extent that it wants a signal, what it really wants is SIGKILL, and the problem here is the code trying to act like SIGKILL but call it SIGSYS. I assume the ship for fixing that sailed years ago though.

Yeah, this was IIRC, a specific design choice (to distinguish a seccomp KILL from a SIGKILL), as desired by the sandboxing folks, and instead of using two different signals (one for KILL and one for TRAP), both used SIGSYS, with the KILL variant being uncatchable.