On Tue, Jan 14, 2025 at 03:33:13PM +0100, Oleg Nesterov wrote: > On 01/14, Eyal Birger wrote: > > > > FWIW If I change the seccomp policy to SCMP_ACT_KILL this still fails. > > Ah... I don't know what SCMP_ACT_KILL is, but indeed, in general it is > not safe to even try to call sys_uretprobe() if it is filtered. > > Say, __secure_computing(SECCOMP_MODE_STRICT)->__secure_computing_strict() > does do_exit(SIGKILL) :/ ugh.. could we just 'disable' uretprobe trampoline when seccomp gets enabled? overwrite first byte with int3.. and similarly check on seccomp when installing uretprobe and switch to int3 jirka
