3 files changed, 36 insertions, 3 deletions

diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index c72c9791c0..eb62e1231b 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -30,6 +30,9 @@
 #include "path-util.h"
 #include "process-util.h"
 #include "rlimit-util.h"
+#if HAVE_SECCOMP
+#include "seccomp-util.h"
+#endif
 #include "securebits-util.h"
 #include "signal-util.h"
 #include "socket-util.h"
@@ -107,7 +110,10 @@ DEFINE_BUS_APPEND_PARSE("i", ioprio_class_from_string);
 DEFINE_BUS_APPEND_PARSE("i", ip_tos_from_string);
 DEFINE_BUS_APPEND_PARSE("i", log_facility_unshifted_from_string);
 DEFINE_BUS_APPEND_PARSE("i", log_level_from_string);
-DEFINE_BUS_APPEND_PARSE("i", parse_errno);
+#if !HAVE_SECCOMP
+static inline int seccomp_parse_errno_or_action(const char *eq) { return -EINVAL; }
+#endif
+DEFINE_BUS_APPEND_PARSE("i", seccomp_parse_errno_or_action);
 DEFINE_BUS_APPEND_PARSE("i", sched_policy_from_string);
 DEFINE_BUS_APPEND_PARSE("i", secure_bits_from_string);
 DEFINE_BUS_APPEND_PARSE("i", signal_from_string);
@@ -927,7 +933,7 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
                 return bus_append_parse_nice(m, field, eq);
 
         if (streq(field, "SystemCallErrorNumber"))
-                return bus_append_parse_errno(m, field, eq);
+                return bus_append_seccomp_parse_errno_or_action(m, field, eq);
 
         if (streq(field, "IOSchedulingClass"))
                 return bus_append_ioprio_class_from_string(m, field, eq);
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 10f78d6c2c..0b7cdbaadf 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1071,7 +1071,9 @@ int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, u
                         int id = PTR_TO_INT(syscall_id) - 1;
                         int error = PTR_TO_INT(val);
 
-                        if (action != SCMP_ACT_ALLOW && error >= 0)
+                        if (error == SECCOMP_ERROR_NUMBER_KILL)
+                                a = scmp_act_kill_process();
+                        else if (action != SCMP_ACT_ALLOW && error >= 0)
                                 a = SCMP_ACT_ERRNO(error);
 
                         r = seccomp_rule_add_exact(seccomp, a, id, 0);
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index b62ee7c448..ff3b96df4b 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -5,7 +5,10 @@
 #include <stdbool.h>
 #include <stdint.h>
 
+#include "errno-list.h"
+#include "parse-util.h"
 #include "set.h"
+#include "string-util.h"
 
 const char* seccomp_arch_to_string(uint32_t c);
 int seccomp_arch_from_string(const char *n, uint32_t *ret);
@@ -115,3 +118,25 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);
 int parse_syscall_archs(char **l, Set **ret_archs);
 
 uint32_t scmp_act_kill_process(void);
+
+/* This is a special value to be used where syscall filters otherwise expect errno numbers, will be
+   replaced with real seccomp action. */
+enum {
+        SECCOMP_ERROR_NUMBER_KILL = INT_MAX - 1,
+};
+
+static inline bool seccomp_errno_or_action_is_valid(int n) {
+        return n == SECCOMP_ERROR_NUMBER_KILL || errno_is_valid(n);
+}
+
+static inline int seccomp_parse_errno_or_action(const char *p) {
+        if (streq_ptr(p, "kill"))
+                return SECCOMP_ERROR_NUMBER_KILL;
+        return parse_errno(p);
+}
+
+static inline const char *seccomp_errno_or_action_to_string(int num) {
+        if (num == SECCOMP_ERROR_NUMBER_KILL)
+                return "kill";
+        return errno_to_name(num);
+}