Dmitry V. Levin ldv at
Mon Feb 15 12:21:07 UTC 2016


On Mon, Feb 15, 2016 at 12:12:09PM +0100, Pas wrote:
> Hello!
> Thanks for the quick response and for the hint! After testing with
> -fveseccomp,prctl
> it turns out that:
> docker-engine 1.10.1-0~wily uses seccomp (prctl PR_SET_SECCOMP,
> SECCOMP_MODE_FILTER and PR_CAPBSET_DROP ...), whereas 1.10.1-0~jessie
> doesn't. Though eventually by default Docker will filter out (almost all?)
> syscalls:

On entering syscall, seccomp kernel hooks are executed before ptrace
kernel hooks.  As result, when some syscall is blocked by seccomp filter
using SECCOMP_RET_ERRNO statement, on many architectures including x86 and
x86_64 the syscall number is clobbered and straces sees -1 in its place.

You can play with strace/tests/seccomp.c and see it yourself.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <>

More information about the Strace-devel mailing list