api: Add support for SCMP_ACT_KILL_PROCESS

This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action.  To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.

This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>

2 files changed, 8 insertions, 0 deletions

diff --git a/doc/man/man3/seccomp_init.3 b/doc/man/man3/seccomp_init.3
index d7cd383..ad1371f 100644
--- a/doc/man/man3/seccomp_init.3
+++ b/doc/man/man3/seccomp_init.3
@@ -52,6 +52,10 @@ The thread will be terminated by the kernel with SIGSYS when it calls a syscall
 that does not match any of the configured seccomp filter rules.  The thread
 will not be able to catch the signal.
 .TP
+.B SCMP_ACT_KILL_PROCESS
+The entire process will be terminated by the kernel with SIGSYS when it calls a
+syscall that does not match any of the configured seccomp filter rules.
+.TP
 .B SCMP_ACT_TRAP
 The thread will be sent a SIGSYS signal when it calls a syscall that does not
 match any of the configured seccomp filter rules.  It may catch this and change
diff --git a/doc/man/man3/seccomp_rule_add.3 b/doc/man/man3/seccomp_rule_add.3
index 86c53b1..b051577 100644
--- a/doc/man/man3/seccomp_rule_add.3
+++ b/doc/man/man3/seccomp_rule_add.3
@@ -111,6 +111,10 @@ values are as follows:
 The thread will be killed by the kernel when it calls a syscall that matches
 the filter rule.
 .TP
+.B SCMP_ACT_KILL_PROCESS
+The process will be killed by the kernel when it calls a syscall that matches
+the filter rule.
+.TP
 .B SCMP_ACT_TRAP
 The thread will throw a SIGSYS signal when it calls a syscall that matches the
 filter rule.