diff options
author | Tom Hromatka <tom.hromatka@oracle.com> | 2018-09-19 09:26:25 -0600 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2018-09-19 16:54:15 -0400 |
commit | b2f15f3d02f302b12b9d1a37d83521e6f9e08841 (patch) | |
tree | e9b3e4ae6b2a9dcaf68b2877c24d9b69fc1e7122 /doc | |
parent | 6646e21ed2734dca355c5b550cb45f0379330e02 (diff) | |
download | libseccomp-b2f15f3d02f302b12b9d1a37d83521e6f9e08841.tar.gz |
api: Add support for SCMP_ACT_KILL_PROCESS
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action. To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.
This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man/man3/seccomp_init.3 | 4 | ||||
-rw-r--r-- | doc/man/man3/seccomp_rule_add.3 | 4 |
2 files changed, 8 insertions, 0 deletions
diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3 index d7cd383..ad1371f 100644 --- a/doc/man/man3/seccomp_init.3 +++ b/doc/man/man3/seccomp_init.3 @@ -52,6 +52,10 @@ The thread will be terminated by the kernel with SIGSYS when it calls a syscall that does not match any of the configured seccomp filter rules. The thread will not be able to catch the signal. .TP +.B SCMP_ACT_KILL_PROCESS +The entire process will be terminated by the kernel with SIGSYS when it calls a +syscall that does not match any of the configured seccomp filter rules. +.TP .B SCMP_ACT_TRAP The thread will be sent a SIGSYS signal when it calls a syscall that does not match any of the configured seccomp filter rules. It may catch this and change diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3 index 86c53b1..b051577 100644 --- a/doc/man/man3/seccomp_rule_add.3 +++ b/doc/man/man3/seccomp_rule_add.3 @@ -111,6 +111,10 @@ values are as follows: The thread will be killed by the kernel when it calls a syscall that matches the filter rule. .TP +.B SCMP_ACT_KILL_PROCESS +The process will be killed by the kernel when it calls a syscall that matches +the filter rule. +.TP .B SCMP_ACT_TRAP The thread will throw a SIGSYS signal when it calls a syscall that matches the filter rule. |