nspawn: expose the new seccomp actions in the OCI logic

2026-04-15 00:47:10 +09:00 · 2019-04-29 12:04:55 +02:00
parent 7bbc229cf7
commit f9a3d8e2f3
1 changed files with 12 additions and 6 deletions
--- a/src/nspawn/nspawn-oci.c
+++ b/src/nspawn/nspawn-oci.c
@@ -1656,13 +1656,19 @@ static int oci_seccomp_action_from_string(const char *name, uint32_t *ret) {
                const char *name;
                uint32_t action;
        } table[] = {
-                { "SCMP_ACT_ALLOW", SCMP_ACT_ALLOW        },
-                { "SCMP_ACT_ERRNO", SCMP_ACT_ERRNO(EPERM) }, /* the OCI spec doesn't document the error, but it appears EPERM is supposed to be used */
-                { "SCMP_ACT_KILL",  SCMP_ACT_KILL         },
-#ifdef SCMP_ACT_LOG
-                { "SCMP_ACT_LOG",   SCMP_ACT_LOG          },
+                { "SCMP_ACT_ALLOW",         SCMP_ACT_ALLOW        },
+                { "SCMP_ACT_ERRNO",         SCMP_ACT_ERRNO(EPERM) }, /* the OCI spec doesn't document the error, but it appears EPERM is supposed to be used */
+                { "SCMP_ACT_KILL",          SCMP_ACT_KILL         },
+#ifdef SCMP_ACT_KILL_PROCESS
+                { "SCMP_ACT_KILL_PROCESS",  SCMP_ACT_KILL_PROCESS },
 #endif
-                { "SCMP_ACT_TRAP",  SCMP_ACT_TRAP         },
+#ifdef SCMP_ACT_KILL_THREAD
+                { "SCMP_ACT_KILL_THREAD",   SCMP_ACT_KILL_THREAD  },
+#endif
+#ifdef SCMP_ACT_LOG
+                { "SCMP_ACT_LOG",           SCMP_ACT_LOG          },
+#endif
+                { "SCMP_ACT_TRAP",          SCMP_ACT_TRAP         },

                /* We don't support SCMP_ACT_TRACE because that requires a tracer, and that doesn't really make sense
                 * here */