Add support for seccomp actions ActKillThread and ActKillProcess

saschagrunert · cyphar · commit 84e60258bf84 · 2021-09-09T17:47:00.000+10:00
Two new seccomp actions have been added to the libseccomp-golang
dependency, which can be now supported by runc, too.

ActKillThread kills the thread that violated the rule. It is the same as
ActKill. All other threads from the same thread group will continue to
execute.

ActKillProcess kills the process that violated the rule. All threads in
the thread group are also terminated. This action is only usable when
libseccomp API level 3 or higher is supported.

Signed-off-by: Sascha Grunert &lt;sgrunert@redhat.com&gt;
Signed-off-by: Aleksa Sarai &lt;cyphar@cyphar.com&gt;
diff --git a/libcontainer/configs/config.go b/libcontainer/configs/config.go
@@ -50,6 +50,8 @@ const (
 	Trace
 	Log
 	Notify
+	KillThread
+	KillProcess
 )
 
 // Operator is a comparison operator to be used when matching syscall arguments in Seccomp
diff --git a/libcontainer/seccomp/seccomp_linux.go b/libcontainer/seccomp/seccomp_linux.go
@@ -133,6 +133,10 @@ func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error
 		return libseccomp.ActLog, nil
 	case configs.Notify:
 		return libseccomp.ActNotify, nil
+	case configs.KillThread:
+		return libseccomp.ActKillThread, nil
+	case configs.KillProcess:
+		return libseccomp.ActKillProcess, nil
 	default:
 		return libseccomp.ActInvalid, errors.New("invalid action, cannot use in rule")
 	}

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,8 @@ const (`
`50`	`50`	`Trace`
`51`	`51`	`Log`
`52`	`52`	`Notify`
	`53`	`+ KillThread`
	`54`	`+ KillProcess`
`53`	`55`	`)`
`54`	`56`
`55`	`57`	`// Operator is a comparison operator to be used when matching syscall arguments in Seccomp`