Merge pull request #1161 from kinvolk/alban_seccomp_flags

AkihiroSuda · web-flow · commit cbb84bec92d9 · 2022-09-07T21:03:35.000+09:00
seccomp: Add flag SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV
diff --git a/config-linux.md b/config-linux.md
@@ -701,6 +701,7 @@ The following parameters can be specified to set up seccomp:
     * `SECCOMP_FILTER_FLAG_TSYNC`
     * `SECCOMP_FILTER_FLAG_LOG`
     * `SECCOMP_FILTER_FLAG_SPEC_ALLOW`
+    * `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV`
 
 * **`listenerPath`** *(string, OPTIONAL)* - specifies the path of UNIX domain socket over which the runtime will send the [container process state](#containerprocessstate) data structure when the `SCMP_ACT_NOTIFY` action is used.
     This socket MUST use `AF_UNIX` domain and `SOCK_STREAM` type.
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -70,7 +70,8 @@
             "enum": [
                 "SECCOMP_FILTER_FLAG_TSYNC",
                 "SECCOMP_FILTER_FLAG_LOG",
-                "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+                "SECCOMP_FILTER_FLAG_SPEC_ALLOW",
+                "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"
             ]
         },
         "SeccompOperators": {
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -645,6 +645,10 @@ const (
 	// LinuxSeccompFlagSpecAllow can be used to disable Speculative Store
 	// Bypass mitigation. (since Linux 4.17)
 	LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+
+	// LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait
+	// killable semantics. (since Linux 5.19)
+	LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"
 )
 
 // Additional architectures permitted to be used for system calls
