Thank you

So heads up, updating the toolchain might be slightly more involved. The CI (and the common build) always uses a previously built and released version of the toolchain. Doing this release requires several steps. Currently the repository is more up to date vs the version of the toolchain that's released, and while I wanted to do a new release with the toolchain using LLVM 11, I realized that we have to correct the usage of the kernel headers. They were set to version 4.9 back then due to some BPF dependencies but this is partially incorrect because we support CentOS 6. What we should do toolchain wise is actually to compile against CentOS 6 kernel version of headers, then osquery has to define the newer kernels defines and at runtime detect if some feature is available or not.

Got it, we can just define missing constants in our source, but that requires some "ugly" decisions, like should we define only constants that are missing in 4.7, or all used constants. I though updating headers in toolchain would be better than trying to make questionable constants in osquery itself, that would become redundant in future

I see what you mean; my interest is mainly trying not to block your PR and at the same time try to adhere to what I was saying earlier. I haven't checked specifically, but lets say we're not updating the toolchain right now, which constants have to be defined for the code to compile? Updating the toolchain really needs some tests to see how it works with older distros, that's something we really want to have.

I should recheck, as that patch was done a year before (we used it internally for a year). Most probably the missing constants are: SECCOMP_RET_KILL_PROCESS and SECCOMP_RET_LOG, both introduced in 4.14 https://github.com/torvalds/linux/commit/4d3b0b05aae9ee9ce0970dc4cc0fb3fad5e85945

I see, then that might be enough for that issue. Thank you for understanding!

SECCOMP_RET_KILL_THREAD also need to be checked, accouding to

man seccomp

it replaced SECCOMP_RET_KILL in 4.14

Maybe that's a rename only though.

Yes, but that``SECCOMP_RET_KILL_THREAD` not in 4.13 source, so there must be some other 4.14 patch that introduced new constant.

oh I see, I was assuming they were both present and only manual changed. Nonetheless it seems to me that

SECCOMP_RET_KILL

retained its original value, I'm looking at 4.9 code

Ok. @Anton Zhabolenko, I think you can read our thread.

That's a good question. For simplicity I would just put them inline for now, under the

linux/seccomp.h

header. That is the only usage now and I suspect for a while too. We'll handle moving them somewhere else if needed. But definitely if you can, put them under

ifndef

so that we can play nice with other kind of builds.

We did it and checks passed. Thank you!