api: Add support for SCMP_ACT_KILL_PROCESS

This patch adds support for killing the entire process via the SCMP_ACT_KILL_PROCESS action. To maintain backward compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD. Support for KILL_PROCESS was added into the Linux kernel in v4.14. This addresses GitHub Issue #96 - RFE: add support for SECCOMP_RET_KILL_PROCESS Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com> [PM: minor comment tweak in seccomp.h.in] Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Tom Hromatka <tom.hromatka@oracle.com> 2018-09-19 09:26:25 -0600
committer: Paul Moore <paul@paul-moore.com> 2018-09-19 16:54:15 -0400
commit: b2f15f3d02f302b12b9d1a37d83521e6f9e08841 (patch)
tree: e9b3e4ae6b2a9dcaf68b2877c24d9b69fc1e7122 /src/python
parent: 6646e21ed2734dca355c5b550cb45f0379330e02 (diff)
download: libseccomp-b2f15f3d02f302b12b9d1a37d83521e6f9e08841.tar.gz
2 files changed, 8 insertions, 3 deletions
diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd
index a599ef2..49d0be4 100644
--- a/src/python/libseccomp.pxd
+++ b/src/python/libseccomp.pxd
@@ -69,6 +69,7 @@ cdef extern from "seccomp.h":
         SCMP_CMP_MASKED_EQ
 
     cdef enum:
+        SCMP_ACT_KILL_PROCESS
         SCMP_ACT_KILL
         SCMP_ACT_TRAP
         SCMP_ACT_LOG
diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx
index c9a0dab..771b9c3 100644
--- a/src/python/seccomp.pyx
+++ b/src/python/seccomp.pyx
@@ -29,7 +29,8 @@ based filtering interface that should be familiar to, and easily adopted
 by application developers.
 
 Filter action values:
-    KILL - kill the process
+    KILL_PROCESS - kill the process
+    KILL - kill the thread
     LOG - allow the syscall to be executed after the action has been logged
     ALLOW - allow the syscall to execute
     TRAP - a SIGSYS signal will be thrown
@@ -94,6 +95,7 @@ def c_str(string):
     else:
         return bytes(string, "ascii")
 
+KILL_PROCESS = libseccomp.SCMP_ACT_KILL_PROCESS
 KILL = libseccomp.SCMP_ACT_KILL
 TRAP = libseccomp.SCMP_ACT_TRAP
 LOG = libseccomp.SCMP_ACT_LOG
@@ -545,7 +547,8 @@ cdef class SyscallFilter:
         """ Add a new rule to filter.
 
         Arguments:
-        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), LOG, or ALLOW
+        action - the rule action: KILL_PROCESS, KILL, TRAP, ERRNO(), TRACE(),
+                 LOG, or ALLOW
         syscall - the syscall name or number
         args - variable number of Arg objects
 
@@ -627,7 +630,8 @@ cdef class SyscallFilter:
         """ Add a new rule to filter.
 
         Arguments:
-        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), LOG, or ALLOW
+        action - the rule action: KILL_PROCESS, KILL, TRAP, ERRNO(), TRACE(),
+                 LOG, or ALLOW
         syscall - the syscall name or number
         args - variable number of Arg objects
author	Tom Hromatka <tom.hromatka@oracle.com>	2018-09-19 09:26:25 -0600
committer	Paul Moore <paul@paul-moore.com>	2018-09-19 16:54:15 -0400
commit	b2f15f3d02f302b12b9d1a37d83521e6f9e08841 (patch)
tree	e9b3e4ae6b2a9dcaf68b2877c24d9b69fc1e7122 /src/python
parent	6646e21ed2734dca355c5b550cb45f0379330e02 (diff)
download	libseccomp-b2f15f3d02f302b12b9d1a37d83521e6f9e08841.tar.gz