Merge pull request opencontainers#1138 from saschagrunert/seccomp-fil…

…ter-flags Add available `LinuxSeccompFlag`s
kolyshkin · Jul 18, 2022 · a8106e9 · a8106e9
2 parents 8d0d6d4 + e78a3c3
commit a8106e9
Showing 1 changed file with 13 additions and 0 deletions.
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -632,6 +632,19 @@ type Arch string
 // LinuxSeccompFlag is a flag to pass to seccomp(2).
 type LinuxSeccompFlag string
 
+const (
+	// LinuxSeccompFlagLog is a seccomp flag to request all returned
+	// actions except SECCOMP_RET_ALLOW to be logged. An administrator may
+	// override this filter flag by preventing specific actions from being
+	// logged via the /proc/sys/kernel/seccomp/actions_logged file. (since
+	// Linux 4.14)
+	LinuxSeccompFlagLog LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_LOG"
+
+	// LinuxSeccompFlagSpecAllow can be used to disable Speculative Store
+	// Bypass mitigation. (since Linux 4.17)
+	LinuxSeccompFlagSpecAllow LinuxSeccompFlag = "SECCOMP_FILTER_FLAG_SPEC_ALLOW"
+)
+
 // Additional architectures permitted to be used for system calls
 // By default only the native architecture of the kernel is permitted
 const (