Why does a seccomp process always get killed?

Question

Why does a process that has gone into seccomp mode always get killed on exit?

$ cat simple.c 
#include <stdio.h>
#include <stdlib.h>
#include <linux/prctl.h>

int main( int argc, char **argv )
{
    printf("Starting\n");
    prctl(PR_SET_SECCOMP, 1);
    printf("Running\n");
    exit(0);
}
$ cc -o simple simple.c
$ ./simple || echo "Returned $?"
Starting
Running
Killed
Returned 137

score 5 · Accepted Answer · answered Apr 11 '12 at 22:17

5

From the man page, under PR_SET_SECCOMP, the only allowed system calls are read, write, exit, and sigreturn.

When you call exit(0) in the standard library (in recent Linux), you call the exit_group system call, not exit. This is not allowed, so you get a SIGKILL.

(You can see this if you strace the process...)

answered Apr 11 '12 at 22:17

antlersoft

14,636
4
35
55

Fantastic, thank you. How do you get strace to print the exit_group call? strace ./simple shows "+++ killed by SIGKILL +++" immediately after the write for me. – engie Apr 11 '12 at 22:51
To see the exit_group in strace, you have to *not* set PR_SET_SECCOMP. – antlersoft Apr 11 '12 at 22:54
@engie antlersoft is definitely right, as shown in this [answer](http://stackoverflow.com/a/40455896/2411320). Thank you antlersoft for posting this! :) – gsamaras Nov 07 '16 at 01:29

Why does a seccomp process always get killed?

1 Answers1

Linked