Use trap not kill in seccomp filter

Bug: 34647665
Test: Make sure boots, check that causing a seccomp failure creates a
      crash dump

Change-Id: I5ab2fe3e8322a3c38318c97d343834baa874af8d

diff --git a/libc/seccomp/arm64_policy.c b/libc/seccomp/arm64_policy.c
index d5a87d6..6a8bda0 100644 (file)
--- a/libc/seccomp/arm64_policy.c
+++ b/libc/seccomp/arm64_policy.c
@@ -41,7 +41,7 @@ BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 262, 3, 4), //wait4|prlimit64
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 268, 1, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 267, 1, 2), //clock_adjtime
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 272, 0, 1), //setns|sendmmsg|process_vm_readv|process_vm_writev
-BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
 };
 

diff --git a/libc/seccomp/arm_policy.c b/libc/seccomp/arm_policy.c
index 44e734e..de03f45 100644 (file)
--- a/libc/seccomp/arm_policy.c
+++ b/libc/seccomp/arm_policy.c
@@ -139,7 +139,7 @@ BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 378, 3, 4), //sendmmsg|setns|process_vm_readv|pr
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983045, 1, 0),
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983043, 1, 2), //__ARM_NR_cacheflush
 BPF_JUMP(BPF_JMP|BPF_JGE|BPF_K, 983046, 0, 1), //__ARM_NR_set_tls
-BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),
+BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),
 BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),
 };
 

diff --git a/libc/tools/genseccomp.py b/libc/tools/genseccomp.py
index b82bb12..bd003a3 100755 (executable)
--- a/libc/tools/genseccomp.py
+++ b/libc/tools/genseccomp.py
@@ -126,7 +126,7 @@ def construct_bpf(architecture, header_dir, output_path):
              ", 0, " + str(len(bpf)) + "),")
 
   # Add the error and allow calls at the end
-  bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_KILL),")
+  bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_TRAP),")
   bpf.append("BPF_STMT(BPF_RET|BPF_K, SECCOMP_RET_ALLOW),")
 
   # And output policy