• Kees Cook's avatar
    /proc/pid/status: add "Seccomp" field · 2f4b3bf6
    Kees Cook authored
    It is currently impossible to examine the state of seccomp for a given
    process.  While attaching with gdb and attempting "call
    prctl(PR_GET_SECCOMP,...)" will work with some situations, it is not
    reliable.  If the process is in seccomp mode 1, this query will kill the
    process (prctl not allowed), if the process is in mode 2 with prctl not
    allowed, it will similarly be killed, and in weird cases, if prctl is
    filtered to return errno 0, it can look like seccomp is disabled.
    When reviewing the state of running processes, there should be a way to
    externally examine the seccomp mode.  ("Did this build of Chrome end up
    using seccomp?" "Did my distro ship ssh with seccomp enabled?")
    This adds the "Seccomp" line to /proc/$pid/status.
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    Reviewed-by: default avatarCyrill Gorcunov <gorcunov@openvz.org>
    Cc: Andrea Arcangeli <aarcange@redhat.com>
    Cc: James Morris <jmorris@namei.org>
    Acked-by: default avatarSerge E. Hallyn <serge.hallyn@ubuntu.com>
    Signed-off-by: default avatarAndrew Morton <akpm@linux-foundation.org>
    Signed-off-by: default avatarLinus Torvalds <torvalds@linux-foundation.org>
proc.txt 75.8 KB