问题描述

为什么进入seccomp模式的进程总是在退出时被杀死?

Why does a process that has gone into seccomp mode always get killed on exit?

$ cat simple.c
#include <stdio.h>
#include <stdlib.h>
#include <linux/prctl.h>

int main( int argc, char **argv )
{
    printf("Starting\n");
    prctl(PR_SET_SECCOMP, 1);
    printf("Running\n");
    exit(0);
}
$ cc -o simple simple.c
$ ./simple || echo "Returned $?"
Starting
Running
Killed
Returned 137

推荐答案

在手册页的PR_SET_SECCOMP下，仅允许读取，写入，退出和sigreturn系统调用.

From the man page, under PR_SET_SECCOMP, the only allowed system calls are read, write, exit, and sigreturn.

在标准库中(在最近的Linux中)调用exit(0)时，您将调用exit_group系统调用，而不是退出.这是不允许的，所以您会得到SIGKILL.

When you call exit(0) in the standard library (in recent Linux), you call the exit_group system call, not exit. This is not allowed, so you get a SIGKILL.

(如果跟踪该过程，您可以看到此信息...)

(You can see this if you strace the process...)

这篇关于为什么seccomp进程总是被杀死?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！