On 01/15, Alexei Starovoitov wrote: > > On Wed, Jan 15, 2025 at 7:06 AM Oleg Nesterov <o...@redhat.com> wrote: > > > > Or we can change __secure_computing() to do nothing if > > this_syscall == __NR_uretprobe. > > I think that's the best way forward. > seccomp already allowlists sigreturn syscall.
Only if SECCOMP_MODE_STRICT. But it won't help if we add __NR_uretprobe into into mode1_syscalls/mode1_syscalls_32. SECCOMP_MODE_FILTER can do anything. Just I guess nobody tries to offend sigreturn for obvious reasons. But yes, perhaps we do not have a better solution. Oleg.
