From 4bcd065f2430a9e8ebfea8e7de95c97eeb6269eb Mon Sep 17 00:00:00 2001
From: Alban Crequy <albancrequy@microsoft.com>
Date: Wed, 7 Sep 2022 11:57:31 +0200
Subject: [PATCH] seccomp: Add flag SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV

Linux 5.19 introduced a new seccomp flag:
SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV

It is useful for seccomp notify when handling notification from Golang
programs which are often preempted by the runtime with SIGURG.

Signed-off-by: Alban Crequy <albancrequy@microsoft.com>
---
 config-linux.md        | 1 +
 schema/defs-linux.json | 3 ++-
 specs-go/config.go     | 4 ++++
 3 files changed, 7 insertions(+), 1 deletion(-)

diff --git a/config-linux.md b/config-linux.md
index 178361f..20d84f4 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -701,6 +701,7 @@ The following parameters can be specified to set up seccomp:
     * `SECCOMP_FILTER_FLAG_TSYNC`
     * `SECCOMP_FILTER_FLAG_LOG`
     * `SECCOMP_FILTER_FLAG_SPEC_ALLOW`
+    * `SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV`
 
 * **`listenerPath`** *(string, OPTIONAL)* - specifies the path of UNIX domain socket over which the runtime will send the [container process state](#containerprocessstate) data structure when the `SCMP_ACT_NOTIFY` action is used.
     This socket MUST use `AF_UNIX` domain and `SOCK_STREAM` type.
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
index 5727802..ff36288 100644
--- a/schema/defs-linux.json
+++ b/schema/defs-linux.json
@@ -70,7 +70,8 @@
             "enum": [
                 "SECCOMP_FILTER_FLAG_TSYNC",
                 "SECCOMP_FILTER_FLAG_LOG",
-                "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+                "SECCOMP_FILTER_FLAG_SPEC_ALLOW",
+                "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"
             ]
         },
         "SeccompOperators": {
diff --git a/specs-go/config.go b/specs-go/config.go
index 7e91221..10de2c7 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -645,6 +645,10 @@ const (
 	// LinuxSeccompFlagSpecAllow can be used to disable Speculative Store
 	// Bypass mitigation. (since Linux 4.17)
 	LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+
+	// LinuxSeccompFlagWaitKillableRecv can be used to switch to the wait
+	// killable semantics. (since Linux 5.19)
+	LinuxSeccompFlagWaitKillableRecv LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_WAIT_KILLABLE_RECV"
 )
 
 // Additional architectures permitted to be used for system calls