Currently, Breakpad relies on facilities that are disallowed inside the Linux seccomp sandbox. Specifically, it sets a signal handler to catch faults (currently disallowed), forks a new process, and uses ptrace() (also disallowed) to read the memory of the faulted process.
There are three ways we could do crash dumping of seccomp-sandboxed processes:
ptrace()s the sandboxed process to catch faults.
In case a trusted thread faults with a SIGSEGV, we must make sure that an untrusted thread cannot register a signal handler that will run in the context of the trusted thread.
Here are some mechanisms that could make this safe:
sigaltstack()is per-thread. If we opt not to set a signal stack for trusted threads, and set %esp/%rsp to an invalid address, trusted threads will die safely if they fault.
CLONE_SIGHANDflag. By omitting this flag, trusted and untrusted threads can have different sets of signal handlers. This means we can opt not to set signal handlers for trusted threads.
sigprocmask()/pthread_sigmask(): These can be used to block signal handling in trusted threads.