Use RET_KILL_PROCESS if available in kernel

RET_KILL_THREAD doesn't work well for Go because it will kill only the offending thread and leave the process hanging. RET_TRAP can be masked out and it's not guaranteed to kill the process. RET_KILL_PROCESS is available since 4.14. For older kernel, continue to use RET_TRAP as this is the best option (likely to kill process, easy to debug). PiperOrigin-RevId: 222357867 Change-Id: Icc1d7d731274b16c2125b7a1ba4f7883fbdb2cbd
author: Fabricio Voznika <fvoznika@google.com> 2018-11-20 22:55:41 -0800
committer: Shentubot <shentubot@google.com> 2018-11-20 22:56:51 -0800
commit: eaac94d91c28b745c51c33dd352ed9bfdd671b8c (patch)
tree: e552c91970be74c3a315bb6aa5eea157cb153890 /pkg/abi/linux/seccomp.go
parent: 5236b78242677612ac71b19cee85b3bf4cca4008 (diff)
1 files changed, 7 insertions, 5 deletions
diff --git a/pkg/abi/linux/seccomp.go b/pkg/abi/linux/seccomp.go
index 9963ceeba..5ec01cc4a 100644
--- a/pkg/abi/linux/seccomp.go
+++ b/pkg/abi/linux/seccomp.go
@@ -19,17 +19,19 @@ const (
 	SECCOMP_MODE_NONE   = 0
 	SECCOMP_MODE_FILTER = 2
 
-	SECCOMP_RET_KILL  = 0x00000000
-	SECCOMP_RET_TRAP  = 0x00030000
-	SECCOMP_RET_ERRNO = 0x00050000
-	SECCOMP_RET_TRACE = 0x7ff00000
-	SECCOMP_RET_ALLOW = 0x7fff0000
+	SECCOMP_RET_KILL_PROCESS = 0x80000000
+	SECCOMP_RET_KILL_THREAD  = 0x00000000
+	SECCOMP_RET_TRAP         = 0x00030000
+	SECCOMP_RET_ERRNO        = 0x00050000
+	SECCOMP_RET_TRACE        = 0x7ff00000
+	SECCOMP_RET_ALLOW        = 0x7fff0000
 
 	SECCOMP_RET_ACTION = 0x7fff0000
 	SECCOMP_RET_DATA   = 0x0000ffff
 
 	SECCOMP_SET_MODE_FILTER   = 1
 	SECCOMP_FILTER_FLAG_TSYNC = 1
+	SECCOMP_GET_ACTION_AVAIL  = 2
 )
 
 const (
author	Fabricio Voznika <fvoznika@google.com>	2018-11-20 22:55:41 -0800
committer	Shentubot <shentubot@google.com>	2018-11-20 22:56:51 -0800
commit	eaac94d91c28b745c51c33dd352ed9bfdd671b8c (patch)
tree	e552c91970be74c3a315bb6aa5eea157cb153890 /pkg/abi/linux/seccomp.go
parent	5236b78242677612ac71b19cee85b3bf4cca4008 (diff)