Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for seccomp actions ActKillThread and ActKillProcess #2564

Closed
wants to merge 1 commit into from
Closed

Add support for seccomp actions ActKillThread and ActKillProcess #2564

wants to merge 1 commit into from

Conversation

saschagrunert
Copy link
Contributor

Two new seccomp actions have been added to the libseccomp-golang
dependency, which can be now supported by runc, too.

ActKillThread kills the thread that violated the rule. It is the same as
ActKill. All other threads from the same thread group will continue to
execute.

ActKillProcess kills the process that violated the rule. All threads in
the thread group are also terminated. This action is only usable when
libseccomp API level 3 or higher is supported.

Xref for requesting a new release in libseccomp-golang: seccomp/libseccomp-golang#55

@saschagrunert saschagrunert changed the title WIP: Add support for seccomp actions ActKillThread and ActKillProcess Add support for seccomp actions ActKillThread and ActKillProcess Aug 20, 2020
@saschagrunert
Copy link
Contributor Author

Removing the WIP since it looks like we do not get a new release of seccomp/libseccomp-golang soon.

AkihiroSuda
AkihiroSuda previously approved these changes Aug 21, 2020
View reviewed changes
@saschagrunert
Copy link
Contributor Author

@mrunalp @cyphar PTAL 🙏

kolyshkin
kolyshkin reviewed Aug 25, 2020
View reviewed changes
go.sum Show resolved Hide resolved
kolyshkin
kolyshkin requested changes Aug 25, 2020
View reviewed changes
Copy link
Contributor

@kolyshkin kolyshkin left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

go mod tidy?

AkihiroSuda
AkihiroSuda previously approved these changes Aug 28, 2020
View reviewed changes
@cyphar
Copy link
Member

cyphar commented Feb 4, 2021

Needs a rebase and probably a small rework given #2750.

@saschagrunert
Copy link
Contributor Author

Rebased on top of the latest master branch.

cyphar
cyphar previously approved these changes Feb 4, 2021
View reviewed changes
Copy link
Member

@cyphar cyphar left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM.

@cyphar cyphar requested a review from kolyshkin February 4, 2021 11:36
@AkihiroSuda
Copy link
Member

Needs rebase

@saschagrunert saschagrunert force-pushed the kill-thread-process branch 3 times, most recently from 9a9418e to bd5ee6c Compare May 6, 2021 07:05
@saschagrunert
Copy link
Contributor Author

Rebased on top of the latest master branch.

AkihiroSuda
AkihiroSuda reviewed May 6, 2021
View reviewed changes
go.mod Show resolved Hide resolved
AkihiroSuda
AkihiroSuda previously approved these changes May 6, 2021
View reviewed changes
@saschagrunert saschagrunert force-pushed the kill-thread-process branch from bd5ee6c to 1ba567d Compare May 6, 2021 07:31
AkihiroSuda
AkihiroSuda previously approved these changes May 6, 2021
View reviewed changes
@AkihiroSuda AkihiroSuda requested a review from cyphar May 6, 2021 07:38
@AkihiroSuda
Copy link
Member

Sorry needs rebase

@saschagrunert saschagrunert force-pushed the kill-thread-process branch 3 times, most recently from 1d9fdf1 to cf51093 Compare July 27, 2021 14:54
@saschagrunert
Copy link
Contributor Author

Sorry needs rebase

Rebased on top of the latest master branch.

@AkihiroSuda
Copy link
Member

Commit seems broken

@saschagrunert
Add support for seccomp actions ActKillThread and ActKillProcess
4aee5e3 
Two new seccomp actions have been added to the libseccomp-golang
dependency, which can be now supported by runc, too.

ActKillThread kills the thread that violated the rule. It is the same as
ActKill. All other threads from the same thread group will continue to
execute.

ActKillProcess kills the process that violated the rule. All threads in
the thread group are also terminated. This action is only usable when
libseccomp API level 3 or higher is supported.

Signed-off-by: Sascha Grunert <[email protected]>
@AkihiroSuda AkihiroSuda added this to the 1.1.0 milestone Jul 28, 2021
@kolyshkin
Copy link
Contributor

Looks like this will conflict with #2682 and I'd rather have this one rebased after #2682 is merged.

@kolyshkin
Copy link
Contributor

#2682 is merged, @saschagrunert can you please rebase?

@cyphar
Copy link
Member

cyphar commented Sep 9, 2021

Given how small the change is, I'll just carry this. I'm sure Sascha won't mind. 😉

@cyphar cyphar mentioned this pull request Sep 9, 2021
Merged
@cyphar
Copy link
Member

cyphar commented Sep 9, 2021

Carried in #3204.

@cyphar cyphar closed this Sep 9, 2021
@saschagrunert saschagrunert deleted the kill-thread-process branch September 9, 2021 06:39
@saschagrunert
Copy link
Contributor Author

Thanks y'all!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AkihiroSuda AkihiroSuda AkihiroSuda approved these changes

@kolyshkin kolyshkin Awaiting requested review from kolyshkin

@cyphar cyphar Awaiting requested review from cyphar

Assignees
No one assigned
Labels
area/seccomp status/needs-rebase
Projects
None yet
Milestone
1.1.0
Development

Successfully merging this pull request may close these issues.
4 participants
@saschagrunert @cyphar @AkihiroSuda @kolyshkin