File: override-default-errno-code.patch

package info (click to toggle)
golang-github-opencontainers-specs 1.0.2.41.g7413a7f-1%2Bdeb11u1
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, bullseye-backports, bullseye-updates
  • size: 560 kB
  • sloc: makefile: 122
file content (66 lines) | stat: -rw-r--r-- 2,974 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
From f7ef278d1bbaa6f97b8ef511fad478a31e953290 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 21 Jan 2021 13:20:57 +0100
Subject: [PATCH] seccomp: allow to override default errno return code

the specs already support overriding the errno code for the syscalls
but the default value is hardcoded to EPERM.

Add a new attribute to override the default value.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 config-linux.md          | 4 ++++
 schema/config-linux.json | 3 +++
 specs-go/config.go       | 9 +++++----
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/config-linux.md b/config-linux.md
index 3c9d77f5..9a515fbf 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -594,6 +594,10 @@ The actions, architectures, and operators are strings that match the definitions
 The following parameters can be specified to set up seccomp:
 
 * **`defaultAction`** *(string, REQUIRED)* - the default action for seccomp. Allowed values are the same as `syscalls[].action`.
+* **`defaultErrnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
+    Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return.
+    When the action doesn't support an errno, the runtime MUST print and error and fail.
+    If not specified then its default value is `EPERM`.
 * **`architectures`** *(array of strings, OPTIONAL)* - the architecture used for system calls.
     A valid list of constants as of libseccomp v2.5.0 is shown below.
 
diff --git a/schema/config-linux.json b/schema/config-linux.json
index 83478cc9..61468b9c 100644
--- a/schema/config-linux.json
+++ b/schema/config-linux.json
@@ -203,6 +203,9 @@
                     "defaultAction": {
                         "$ref": "defs-linux.json#/definitions/SeccompAction"
                     },
+                    "defaultErrnoRet": {
+                        "$ref": "defs.json#/definitions/uint32"
+                    },
                     "flags": {
                         "type": "array",
                         "items": {
diff --git a/specs-go/config.go b/specs-go/config.go
index 40955144..16eac6dd 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -598,10 +598,11 @@ type VMImage struct {
 
 // LinuxSeccomp represents syscall restrictions
 type LinuxSeccomp struct {
-	DefaultAction LinuxSeccompAction `json:"defaultAction"`
-	Architectures []Arch             `json:"architectures,omitempty"`
-	Flags         []LinuxSeccompFlag `json:"flags,omitempty"`
-	Syscalls      []LinuxSyscall     `json:"syscalls,omitempty"`
+	DefaultAction   LinuxSeccompAction `json:"defaultAction"`
+	DefaultErrnoRet *uint              `json:"defaultErrnoRet,omitempty"`
+	Architectures   []Arch             `json:"architectures,omitempty"`
+	Flags           []LinuxSeccompFlag `json:"flags,omitempty"`
+	Syscalls        []LinuxSyscall     `json:"syscalls,omitempty"`
 }
 
 // Arch used for additional architectures