Hi, On Mon, Feb 15, 2016 at 12:12:09PM +0100, Pas wrote: > Hello! > > Thanks for the quick response and for the hint! After testing with > -fveseccomp,prctl > it turns out that: > > docker-engine 1.10.1-0~wily uses seccomp (prctl PR_SET_SECCOMP, > SECCOMP_MODE_FILTER and PR_CAPBSET_DROP ...), whereas 1.10.1-0~jessie > doesn't. Though eventually by default Docker will filter out (almost all?) > syscalls: > https://docs.docker.com/engine/reference/run/#runtime-privilege-and-linux-capabilities
On entering syscall, seccomp kernel hooks are executed before ptrace kernel hooks. As result, when some syscall is blocked by seccomp filter using SECCOMP_RET_ERRNO statement, on many architectures including x86 and x86_64 the syscall number is clobbered and straces sees -1 in its place. You can play with strace/tests/seccomp.c and see it yourself. -- ldv
pgpUiLdqxr8PE.pgp
Description: PGP signature
------------------------------------------------------------------------------ Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now! http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
_______________________________________________ Strace-devel mailing list Strace-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/strace-devel
