On Wed, Jul 16, 2014 at 2:15 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> On Wed, Jul 16, 2014 at 1:21 PM, Kees Cook <keescook@xxxxxxxxxxxx> wrote:
>> On Tue, Jul 15, 2014 at 12:32 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>>>
>>> +
>>> + ret = seccomp_phase1(&sd);
>>> + if (ret == SECCOMP_PHASE1_SKIP) {
>>> + regs->orig_ax = -ENOSYS;
>>
>> Before, seccomp didn't touch orig_ax on a skip. I don't see any
>> problem with this, and it's probably more clear this way, but are you
>> sure there aren't unexpected side-effects from this?
>
> It's necessary to cause the syscall to be skipped -- see syscall_trace_enter.
>
> That being said, setting it to -ENOSYS is nonsense and probably
> confused you at least as much as it confused me. It should be
> regs->orig_ax = -1.
Yes, I think that would be better.
-Kees
--
Kees Cook
Chrome OS Security
