Confirm
85
edits
Changes
Add information about crash reports
Note that the SIGSYS handler is also used for syscalls that we want to intercept and “polyfill” with some other action; in that case it modifies the signal context and returns, instead of crashing.
==== Crash reports ====
A sample crash report looks like [https://crash-stats.mozilla.com/report/index/1a06f493-a4bf-40a1-a4eb-241aa2160706 this]. One can see, that the crash reason is stated as 'SIGSYS', as stated above.
In order to figure out which system call caused the crash, one needs to look at the 'Crash Address' line, which in the above mentioned crash reports says 0x57.
With the architecture mentioned in the 'Build Architecture' line, one can then look into the corresponding system call table and figure out which system call caused the crash.
System call tables for x86_64 can be found in a file called [http://lxr.free-electrons.com/source/arch/x86/entry/syscalls/syscall_64.tbl syscall_64.tbl] and for x86 called [http://lxr.free-electrons.com/source/arch/x86/entry/syscalls/syscall_32.tbl syscall_32.tbl] in the Linux kernel source tree.
0x57 in decimal is 87, and since it is x86_64, syscall 87 is sys_unlink.
=== How do I check my processes are sandboxed by seccomp? ===
