seccomp: add scmp_act_kill_process() helper that returns SCMP_ACT_KILL_PROCESS if...

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 95e46a6aa4a7120c15379de9dc68788ddc55ed24..72920ee7df1cbce117cfe4a8ba11bafa462be237 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -1964,3 +1964,18 @@ int seccomp_restrict_suid_sgid(void) {
 
         return 0;
 }
+
+uint32_t scmp_act_kill_process(void) {
+
+        /* Returns SCMP_ACT_KILL_PROCESS if it's supported, and SCMP_ACT_KILL_THREAD otherwise. We never
+         * actually want to use SCMP_ACT_KILL_THREAD as its semantics are nuts (killing arbitrary threads of
+         * a program is just a bad idea), but on old kernels/old libseccomp it is all we have, and at least
+         * for single-threaded apps does the right thing. */
+
+#ifdef SCMP_ACT_KILL_PROCESS
+        if (seccomp_api_get() >= 3)
+                return SCMP_ACT_KILL_PROCESS;
+#endif
+
+        return SCMP_ACT_KILL; /* same as SCMP_ACT_KILL_THREAD */
+}

diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 2566d2d17f261c12873fd1eaf88994713d69c9af..1729dc1b6eeaaf5eaac3242e4a6cff709b988b52 100644 (file)
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -104,3 +104,5 @@ extern const uint32_t seccomp_local_archs[];
 DEFINE_TRIVIAL_CLEANUP_FUNC(scmp_filter_ctx, seccomp_release);
 
 int parse_syscall_archs(char **l, Set **archs);
+
+uint32_t scmp_act_kill_process(void);