As I’ve written in my blog post Recent Linux changes to help sandboxing Linux has a few new features which may aid in enhancing sydbox-1.
One of these features is
PTRACE_O_EXITKILL. This is a new ptrace option to
kill tracees upon tracer exit. Quoting from ptrace(2)
PTRACE_O_EXITKILL (since Linux 3.8) If a tracer sets this flag, a SIGKILL signal will be sent to every tracee if the tracer exits. This option is useful for ptrace jailers that want to ensure that tracees can never escape the tracer's control.
This is a simple feature providing a nice enhancement. sydbox-1 had
a similar feature to prevent tracees from running upon an abnormal exit. There
are two options, namely core/abort/decision and
core/panic/decision, which when given the value
SIGKILL to all traced processes upon abnormal exit. There is also the
option core/trace/exit_wait_all to make
sydbox-1 wait for all tracees to exit before exiting.
However, doing this in user-space is tricky and error-prone. Considering it’s
the tracer who is dying unexpectedly, it may not always be possible to kill
tracees which will then run in potentially unsafe mode. You can read this lkml
thread and many more to dive into the internals of
One restriction is the option core/trace/exit_kill is
only useful when it is set upon startup. It does not work with the magic
stat() system call.
ptrace(2) options are inherited
from parent to children thus trying to set this on a per-tracee basis requires
one to change the value of the option for the parent and all its children.
Although this is possible in theory (sydbox-1 keeps track of
parent<->children relationships) it would add some complexity to the program
which I do not want unless I see a well-founded reason to do so.