seccomp: add scmp_act_kill_process() helper that returns SCMP_ACT_KILL_PROCESS if supported

2019-04-29 11:54:00 +02:00 · 2019-04-29 11:54:00 +02:00 · 915fb32438
parent d631a760e0
commit 915fb32438
2 changed files with 17 additions and 0 deletions
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -1964,3 +1964,18 @@ int seccomp_restrict_suid_sgid(void) {

        return 0;
 }
+
+uint32_t scmp_act_kill_process(void) {
+
+        /* Returns SCMP_ACT_KILL_PROCESS if it's supported, and SCMP_ACT_KILL_THREAD otherwise. We never
+         * actually want to use SCMP_ACT_KILL_THREAD as its semantics are nuts (killing arbitrary threads of
+         * a program is just a bad idea), but on old kernels/old libseccomp it is all we have, and at least
+         * for single-threaded apps does the right thing. */
+
+#ifdef SCMP_ACT_KILL_PROCESS
+        if (seccomp_api_get() >= 3)
+                return SCMP_ACT_KILL_PROCESS;
+#endif
+
+        return SCMP_ACT_KILL; /* same as SCMP_ACT_KILL_THREAD */
+}
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@ -104,3 +104,5 @@ extern const uint32_t seccomp_local_archs[];
 DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);

 int parse_syscall_archs(char **l, Set **archs);
+
+uint32_t scmp_act_kill_process(void);