Add support for seccomp actions ActKillThread and ActKillProcess

saschagrunert · cyphar · commit 3b902408f682 · 2021-09-09T17:47:00.000+10:00
Two new seccomp actions have been added to the libseccomp-golang
dependency, which can be now supported by runc, too.

ActKillThread kills the thread that violated the rule. It is the same as
ActKill. All other threads from the same thread group will continue to
execute.

ActKillProcess kills the process that violated the rule. All threads in
the thread group are also terminated. This action is only usable when
libseccomp API level 3 or higher is supported.

Signed-off-by: Sascha Grunert &lt;sgrunert@redhat.com&gt;
Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -50,6 +50,8 @@ const (
 	Trace
 	Log
 	Notify
+	KillThread
+	KillProcess
 )
 
 // Operator is a comparison operator to be used when matching syscall arguments in Seccomp

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,8 @@ const (`
`50`	`50`	`Trace`
`51`	`51`	`Log`
`52`	`52`	`Notify`
	`53`	`+ KillThread`
	`54`	`+ KillProcess`
`53`	`55`	`)`
`54`	`56`
`55`	`57`	`// Operator is a comparison operator to be used when matching syscall arguments in Seccomp`