From b2f15f3d02f302b12b9d1a37d83521e6f9e08841 Mon Sep 17 00:00:00 2001
From: Tom Hromatka <tom.hromatka@oracle.com>
Date: Wed, 19 Sep 2018 09:26:25 -0600
Subject: api: Add support for SCMP_ACT_KILL_PROCESS

This patch adds support for killing the entire process via
the SCMP_ACT_KILL_PROCESS action.  To maintain backward
compatibility, SCMP_ACT_KILL defaults to SCMP_ACT_KILL_THREAD.
Support for KILL_PROCESS was added into the Linux kernel in
v4.14.

This addresses GitHub Issue #96 - RFE: add support for
SECCOMP_RET_KILL_PROCESS

Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
[PM: minor comment tweak in seccomp.h.in]
Signed-off-by: Paul Moore <paul@paul-moore.com>
---
 src/python/libseccomp.pxd |  1 +
 src/python/seccomp.pyx    | 10 +++++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

(limited to 'src/python')

diff --git a/src/python/libseccomp.pxd b/src/python/libseccomp.pxd
index a599ef2..49d0be4 100644
--- a/src/python/libseccomp.pxd
+++ b/src/python/libseccomp.pxd
@@ -69,6 +69,7 @@ cdef extern from "seccomp.h":
         SCMP_CMP_MASKED_EQ
 
     cdef enum:
+        SCMP_ACT_KILL_PROCESS
         SCMP_ACT_KILL
         SCMP_ACT_TRAP
         SCMP_ACT_LOG
diff --git a/src/python/seccomp.pyx b/src/python/seccomp.pyx
index c9a0dab..771b9c3 100644
--- a/src/python/seccomp.pyx
+++ b/src/python/seccomp.pyx
@@ -29,7 +29,8 @@ based filtering interface that should be familiar to, and easily adopted
 by application developers.
 
 Filter action values:
-    KILL - kill the process
+    KILL_PROCESS - kill the process
+    KILL - kill the thread
     LOG - allow the syscall to be executed after the action has been logged
     ALLOW - allow the syscall to execute
     TRAP - a SIGSYS signal will be thrown
@@ -94,6 +95,7 @@ def c_str(string):
     else:
         return bytes(string, "ascii")
 
+KILL_PROCESS = libseccomp.SCMP_ACT_KILL_PROCESS
 KILL = libseccomp.SCMP_ACT_KILL
 TRAP = libseccomp.SCMP_ACT_TRAP
 LOG = libseccomp.SCMP_ACT_LOG
@@ -545,7 +547,8 @@ cdef class SyscallFilter:
         """ Add a new rule to filter.
 
         Arguments:
-        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), LOG, or ALLOW
+        action - the rule action: KILL_PROCESS, KILL, TRAP, ERRNO(), TRACE(),
+                 LOG, or ALLOW
         syscall - the syscall name or number
         args - variable number of Arg objects
 
@@ -627,7 +630,8 @@ cdef class SyscallFilter:
         """ Add a new rule to filter.
 
         Arguments:
-        action - the rule action: KILL, TRAP, ERRNO(), TRACE(), LOG, or ALLOW
+        action - the rule action: KILL_PROCESS, KILL, TRAP, ERRNO(), TRACE(),
+                 LOG, or ALLOW
         syscall - the syscall name or number
         args - variable number of Arg objects
 
-- 
cgit v1.2.1