Skip to content

RFE: Add SCMP_ACT_TRAPX() #469

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
drakenclimber wants to merge 1 commit into
base: main
Choose a base branch
from
Open

RFE: Add SCMP_ACT_TRAPX() #469

drakenclimber wants to merge 1 commit into from

Conversation

@drakenclimber
Copy link
Member

@drakenclimber drakenclimber commented Aug 18, 2025

This is my first cut at addressing Issue #466. I'm open to discussion on other or better ways to handle it.

I decided to add SCMP_ACT_TRAPX() (similar to SCMP_ACT_ERRNO()) where the user can specify the lower 16 bits of the action. These lower 16 bits are then fed into the si_errno field in the siginfo structure that is sent to the signal trap handler.

With that said, this feature has been in seccomp since it was added in 2012, and no user has requested it. In fact, it looks like it was found by debugging and snooping around in the source code :). I don't think most users care about it, so I have chosen to make this invisible to users by remapping SCMP_ACT_TRAP to SCMP_ACT_TRAPX(0). When users upgrade to a version of libseccomp with this feature, everything will behave as they have before.

If a user wants to use this feature, then they'll have to specifically use the SCMP_ACT_TRAPX() action. Its usage is clearly outlined in test 63-live-trapx.c

@drakenclimber drakenclimber added this to the v2.7.0 milestone Aug 18, 2025
@drakenclimber drakenclimber requested a review from pcmoore August 18, 2025 20:14
@drakenclimber drakenclimber self-assigned this Aug 18, 2025
@drakenclimber
Copy link
Member Author

drakenclimber commented Aug 18, 2025

Continuous integration is failing because coveralls is down... again :(

@pcmoore
Copy link
Member

pcmoore commented Aug 30, 2025

Continuous integration is failing because coveralls is down... again :(

Coveralls seems to be up at the moment so let's try to re-run that failed CI job ...

@drakenclimber
api: doc: tests: Add SCMP_ACT_TRAPX()
85eca32 
Add a new action macro, SCMP_ACT_TRAPX(), which accepts user-specified
data in the lower 16-bits.  When a userspace signal handler has been
specified, the Linux kernel populates the si_errno field in the siginfo
structure with these lower 16-bits from the trap action.

To maintain backward compatibility, redefine SCMP_ACT_TRAP to map to
SCMP_ACT_TRAPX(0).  This will guarantee that filters that utilize
SCMP_ACT_TRAP will behave identically.

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
@coveralls
Copy link

coveralls commented Sep 2, 2025

Coverage Status

coverage: 89.049% (+0.003%) from 89.046%
when pulling 85eca32 on drakenclimber:issue466
into 9b9ea8e on seccomp:main.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@pcmoore pcmoore Awaiting requested review from pcmoore

Assignees

@drakenclimber drakenclimber

Labels

enhancement pending/review

Projects

None yet

Milestone

v2.7.0

Development

Successfully merging this pull request may close these issues.

3 participants

@drakenclimber @pcmoore @coveralls