Merge release-20210518.0-71-g86cf56eb7 (automated)

author: gVisor bot <gvisor-bot@google.com> 2021-06-04 03:12:39 +0000
committer: gVisor bot <gvisor-bot@google.com> 2021-06-04 03:12:39 +0000
commit: 1a78990139a9d1c08fdc2f3ab0563ae968ad4552 (patch)
tree: b673b3602b4d451d5b0b0a4bcc148ff374f3c793 /pkg
parent: c43691a05306e48d6d1623b32073f8453ad994ef (diff)
parent: 86cf56eb71215e24fec49272d915f80c9c569c05 (diff)
1 files changed, 4 insertions, 8 deletions
diff --git a/pkg/seccomp/seccomp.go b/pkg/seccomp/seccomp.go
index daea51c4d..8ffa1db37 100644
--- a/pkg/seccomp/seccomp.go
+++ b/pkg/seccomp/seccomp.go
@@ -36,14 +36,10 @@ const (
 
 // Install generates BPF code based on the set of syscalls provided. It only
 // allows syscalls that conform to the specification. Syscalls that violate the
-// specification will trigger RET_KILL_PROCESS, except for the cases below.
-//
-// RET_TRAP is used in violations, instead of RET_KILL_PROCESS, in the
-// following cases:
-//	 1. Kernel doesn't support RET_KILL_PROCESS: RET_KILL_THREAD only kills the
-//      offending thread and often keeps the sentry hanging.
-//   2. Debug: RET_TRAP generates a panic followed by a stack trace which is
-//      much easier to debug then RET_KILL_PROCESS which can't be caught.
+// specification will trigger RET_KILL_PROCESS. If RET_KILL_PROCESS is not
+// supported, violations will trigger RET_TRAP instead. RET_KILL_THREAD is not
+// used because it only kills the offending thread and often keeps the sentry
+// hanging.
 //
 // Be aware that RET_TRAP sends SIGSYS to the process and it may be ignored,
 // making it possible for the process to continue running after a violation.
author	gVisor bot <gvisor-bot@google.com>	2021-06-04 03:12:39 +0000
committer	gVisor bot <gvisor-bot@google.com>	2021-06-04 03:12:39 +0000
commit	1a78990139a9d1c08fdc2f3ab0563ae968ad4552 (patch)
tree	b673b3602b4d451d5b0b0a4bcc148ff374f3c793 /pkg
parent	c43691a05306e48d6d1623b32073f8453ad994ef (diff)
parent	86cf56eb71215e24fec49272d915f80c9c569c05 (diff)