From: Lennart Poettering <lennart@poettering.net>
Date: Mon, 29 Apr 2019 10:03:58 +0000 (+0200)
Subject: core: prefer SCMP_ACT_KILL_PROCESS for SystemCallFilter= behaviour
X-Git-Tag: v243-rc1~381^2~7
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ccc16c7842a144af5df6accbb2f01281ee0d3129;p=thirdparty%2Fsystemd.git

core: prefer SCMP_ACT_KILL_PROCESS for SystemCallFilter= behaviour

If we have it, use it. It makes a ton more sense.

Fixes: #11967
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 9975de1ff59..e90c3ac4f38 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1439,7 +1439,7 @@ static int apply_syscall_filter(const Unit* u, const ExecContext *c, bool needs_
         if (skip_seccomp_unavailable(u, "SystemCallFilter="))
                 return 0;
 
-        negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno);
+        negative_action = c->syscall_errno == 0 ? scmp_act_kill_process() : SCMP_ACT_ERRNO(c->syscall_errno);
 
         if (c->syscall_whitelist) {
                 default_action = negative_action;