syscall_4294967295
Dmitry V. Levin
ldv at altlinux.org
Mon Feb 15 12:21:07 UTC 2016
Hi,
On Mon, Feb 15, 2016 at 12:12:09PM +0100, Pas wrote:
> Hello!
>
> Thanks for the quick response and for the hint! After testing with
> -fveseccomp,prctl
> it turns out that:
>
> docker-engine 1.10.1-0~wily uses seccomp (prctl PR_SET_SECCOMP,
> SECCOMP_MODE_FILTER and PR_CAPBSET_DROP ...), whereas 1.10.1-0~jessie
> doesn't. Though eventually by default Docker will filter out (almost all?)
> syscalls:
> https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
On entering syscall, seccomp kernel hooks are executed before ptrace
kernel hooks. As result, when some syscall is blocked by seccomp filter
using SECCOMP_RET_ERRNO statement, on many architectures including x86 and
x86_64 the syscall number is clobbered and straces sees -1 in its place.
You can play with strace/tests/seccomp.c and see it yourself.
--
ldv
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20160215/c82cf9ac/attachment.bin>
More information about the Strace-devel
mailing list