From bfe2c38f0c2d9db3b92ac345d558bf47b2d03baa Mon Sep 17 00:00:00 2001 From: Jakub Zakrzewski Date: Sat, 28 Aug 2021 19:27:12 +0200 Subject: [PATCH] Fix an issue in seccomp event handling logic, that could cause sysexit events handler to be missed if sysenter is handled during a syscall-enter-stop event instead of the seccomp ptrace event. This may be a (at least partial) fix for issue #106. --- src/tracee/event.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/src/tracee/event.c b/src/tracee/event.c index aaf83e07..424abc8f 100644 --- a/src/tracee/event.c +++ b/src/tracee/event.c @@ -503,16 +503,24 @@ int handle_tracee_event_kernel_4_8(Tracee *tracee, int tracee_status) unsigned long flags = 0; signal = 0; - /* SECCOMP TRAP can only be received for - * sysenter events, ignore otherwise */ - if (!IS_IN_SYSENTER(tracee)) { - tracee->restart_how = PTRACE_CONT; - return 0; - } status = ptrace(PTRACE_GETEVENTMSG, tracee->pid, NULL, &flags); if (status < 0) break; + /* SECCOMP TRAP can only be received for + * sysenter events. It is sometimes possible for sysenter + * to be handled at the normal PTRACE_SYSCALL SIGTRAP handler, + * before seccomp trap arrives. + * This may happen for example during handling of the first + * syscall the traced process makes, before seccomp is enabled, + * however there is some other random and unknown factor that affects that. + * If this happened, then continue until the next syscall + * or sysexit if necessary. */ + if (!IS_IN_SYSENTER(tracee)) { + tracee->restart_how = (flags & FILTER_SYSEXIT) ? PTRACE_SYSCALL : PTRACE_CONT; + break; + } + if (tracee->seccomp == ENABLED && (flags & FILTER_SYSEXIT) == 0) { tracee->restart_how = PTRACE_CONT; translate_syscall(tracee);