seccomp · drakenclimber · Aug 18, 2025
diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
@@ -67,12 +67,24 @@ The entire process will be terminated by the kernel with SIGSYS when it calls a
 syscall that does not match any of the configured seccomp filter rules.
 .TP
 .B SCMP_ACT_TRAP
+See
+.B SCMP_ACT_TRAPX
+.TP
+.B SCMP_ACT_TRAPX(unit16_t reason)
 The thread will be sent a SIGSYS signal when it calls a syscall that does not
 match any of the configured seccomp filter rules.  It may catch this and change
 its behavior accordingly.  When using SA_SIGINFO with
 .BR sigaction (2),
 si_code will be set to SYS_SECCOMP, si_syscall will be set to the syscall that
 failed the rules, and si_arch will be set to the AUDIT_ARCH for the active ABI.
+If
+.B SCMP_ACT_TRAPX
+is utilized,
+the si_errno field in
+.BR sigaction (2),
+will be set to
+.I reason
+.
 .TP
 .B SCMP_ACT_ERRNO(uint16_t errno)
 The thread will receive a return value of

diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
@@ -184,6 +184,13 @@ the filter rule.
 The thread will throw a SIGSYS signal when it calls a syscall that matches the
 filter rule.
 .TP
+.B SCMP_ACT_TRAPX(uint16_t reason)
+The thread will throw a SIGSYS signal when it calls a syscall that matches the
+filter rule. When using SA_SIGINFO with
+.BR sigaction (2),
+.I reason
+will be populated in the si_errno field.
+.TP
 .B SCMP_ACT_ERRNO(uint16_t errno)
 The thread will receive a return value of
 .I errno

diff --git a/include/seccomp.h.in b/include/seccomp.h.in
@@ -365,8 +365,12 @@ struct scmp_arg_cmp {
 #define SCMP_ACT_KILL		SCMP_ACT_KILL_THREAD
 /**
  * Throw a SIGSYS signal
+ *
+ * The Linux kernel supports a 16-bit parameter for the TRAP action, but
+ * libseccomp v2.6.x and older did not support or utilize this parameter.
  */
-#define SCMP_ACT_TRAP		0x00030000U
+#define SCMP_ACT_TRAP		SCMP_ACT_TRAPX(0)
+#define SCMP_ACT_TRAPX(x)	(0x00030000U | ((x) & 0x0000ffffU))
 /**
  * Notifies userspace
  */

diff --git a/src/gen_pfc.c b/src/gen_pfc.c
@@ -135,8 +135,8 @@ static void _pfc_action(FILE *fds, uint32_t action)
 	case SCMP_ACT_KILL_THREAD:
 		fprintf(fds, "action KILL;\n");
 		break;
-	case SCMP_ACT_TRAP:
-		fprintf(fds, "action TRAP;\n");
+	case SCMP_ACT_TRAPX(0):
+		fprintf(fds, "action TRAP(%u);\n", (action & 0x0000ffff));
 		break;
 	case SCMP_ACT_ERRNO(0):
 		fprintf(fds, "action ERRNO(%u);\n", (action & 0x0000ffff));

diff --git a/src/system.c b/src/system.c
@@ -196,7 +196,7 @@ int sys_chk_seccomp_action(uint32_t action)
 		return state.sup_kill_process;
 	} else if (action == SCMP_ACT_KILL_THREAD) {
 		return 1;
-	} else if (action == SCMP_ACT_TRAP) {
+	} else if (action == SCMP_ACT_TRAPX(action & 0x0000ffff)) {
 		return 1;
 	} else if ((action == SCMP_ACT_ERRNO(action & 0x0000ffff)) &&
 		   ((action & 0x0000ffff) < MAX_ERRNO)) {

diff --git a/tests/.gitignore b/tests/.gitignore
@@ -70,3 +70,4 @@ util.pyc
 60-sim-precompute
 61-sim-transactions
 62-sim-arch_transactions
+63-live-trapx