diff options
| author | Tom Hromatka <tom.hromatka@oracle.com> | 2018-09-19 09:26:25 -0600 |
|---|---|---|
| committer | Paul Moore <paul@paul-moore.com> | 2018-09-19 16:54:15 -0400 |
| commit | b2f15f3d02f302b12b9d1a37d83521e6f9e08841 (patch) | |
| tree | e9b3e4ae6b2a9dcaf68b2877c24d9b69fc1e7122 /tools | |
| parent | 6646e21ed2734dca355c5b550cb45f0379330e02 (diff) | |
| download | libseccomp-b2f15f3d02f302b12b9d1a37d83521e6f9e08841.tar.gz | |
api: Add support for SCMP_ACT_KILL_PROCESS
This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action. To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.
This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'tools')
| -rw-r--r-- | tools/bpf.h | 5 | ||||
| -rw-r--r-- | tools/scmp_bpf_disasm.c | 7 | ||||
| -rw-r--r-- | tools/scmp_bpf_sim.c | 7 |
3 files changed, 14 insertions, 5 deletions
diff --git a/tools/bpf.h b/tools/bpf.h index b8e6d81..fd20441 100644 --- a/tools/bpf.h +++ b/tools/bpf.h @@ -56,11 +56,14 @@ struct sock_filter { typedef struct sock_filter bpf_instr_raw; /* seccomp return masks */ +#define SECCOMP_RET_ACTION_FULL 0xffff0000U #define SECCOMP_RET_ACTION 0x7fff0000U #define SECCOMP_RET_DATA 0x0000ffffU /* seccomp action values */ -#define SECCOMP_RET_KILL 0x00000000U +#define SECCOMP_RET_KILL_PROCESS 0x80000000U +#define SECCOMP_RET_KILL_THREAD 0x00000000U +#define SECCOMP_RET_KILL SECCOMP_RET_KILL_THREAD #define SECCOMP_RET_TRAP 0x00030000U #define SECCOMP_RET_ERRNO 0x00050000U #define SECCOMP_RET_TRACE 0x7ff00000U diff --git a/tools/scmp_bpf_disasm.c b/tools/scmp_bpf_disasm.c index 6e5282a..27fba9a 100644 --- a/tools/scmp_bpf_disasm.c +++ b/tools/scmp_bpf_disasm.c @@ -173,11 +173,14 @@ static const char *bpf_decode_op(const bpf_instr_raw *bpf) */ static void bpf_decode_action(uint32_t k) { - uint32_t act = k & SECCOMP_RET_ACTION; + uint32_t act = k & SECCOMP_RET_ACTION_FULL; uint32_t data = k & SECCOMP_RET_DATA; switch (act) { - case SECCOMP_RET_KILL: + case SECCOMP_RET_KILL_PROCESS: + printf("KILL_PROCESS"); + break; + case SECCOMP_RET_KILL_THREAD: printf("KILL"); break; case SECCOMP_RET_TRAP: diff --git a/tools/scmp_bpf_sim.c b/tools/scmp_bpf_sim.c index 6e422c5..73d056b 100644 --- a/tools/scmp_bpf_sim.c +++ b/tools/scmp_bpf_sim.c @@ -112,11 +112,14 @@ static void exit_error(unsigned int rc, unsigned int line) */ static void end_action(uint32_t action, unsigned int line) { - uint32_t act = action & SECCOMP_RET_ACTION; + uint32_t act = action & SECCOMP_RET_ACTION_FULL; uint32_t data = action & SECCOMP_RET_DATA; switch (act) { - case SECCOMP_RET_KILL: + case SECCOMP_RET_KILL_PROCESS: + fprintf(stdout, "KILL_PROCESS\n"); + break; + case SECCOMP_RET_KILL_THREAD: fprintf(stdout, "KILL\n"); break; case SECCOMP_RET_TRAP: |