• Tyler Hicks's avatar
    seccomp: Sysctl to display available actions · 8e5f1ad1
    Tyler Hicks authored
    
    
    This patch creates a read-only sysctl containing an ordered list of
    seccomp actions that the kernel supports. The ordering, from left to
    right, is the lowest action value (kill) to the highest action value
    (allow). Currently, a read of the sysctl file would return "kill trap
    errno trace allow". The contents of this sysctl file can be useful for
    userspace code as well as the system administrator.
    
    The path to the sysctl is:
    
      /proc/sys/kernel/seccomp/actions_avail
    
    libseccomp and other userspace code can easily determine which actions
    the current kernel supports. The set of actions supported by the current
    kernel may be different than the set of action macros found in kernel
    headers that were installed where the userspace code was built.
    
    In addition, this sysctl will allow system administrators to know which
    actions are supported by the kernel and make it easier to configure
    exactly what seccomp logs through the audit subsystem. Support for this
    level of logging configuration will come in a future patch.
    
    Signed-off-by: default avatarTyler Hicks <tyhicks@canonical.com>
    Signed-off-by: default avatarKees Cook <keescook@chromium.org>
    8e5f1ad1