From ec964dfa30dd550c40025bc958dd91dfa1e2d3dc Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 22 Feb 2021 16:47:37 +0100 Subject: [PATCH 1/2] seccomp: expect error with invalid errnoRet Signed-off-by: Giuseppe Scrivano --- config-linux.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/config-linux.md b/config-linux.md index e7a5decad..3c9d77f5a 100644 --- a/config-linux.md +++ b/config-linux.md @@ -645,8 +645,9 @@ The following parameters can be specified to set up seccomp: * `SCMP_ACT_LOG` * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use. - Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno - code to return. If not specified its default value is `EPERM`. + Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return. + When the action doesn't support an errno, the runtime MUST print and error and fail. + If not specified its default value is `EPERM`. * **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp. Each entry has the following structure: From f7ef278d1bbaa6f97b8ef511fad478a31e953290 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Thu, 21 Jan 2021 13:20:57 +0100 Subject: [PATCH 2/2] seccomp: allow to override default errno return code the specs already support overriding the errno code for the syscalls but the default value is hardcoded to EPERM. Add a new attribute to override the default value. Signed-off-by: Giuseppe Scrivano --- config-linux.md | 4 ++++ schema/config-linux.json | 3 +++ specs-go/config.go | 9 +++++---- 3 files changed, 12 insertions(+), 4 deletions(-) diff --git a/config-linux.md b/config-linux.md index 3c9d77f5a..9a515fbfd 100644 --- a/config-linux.md +++ b/config-linux.md @@ -594,6 +594,10 @@ The actions, architectures, and operators are strings that match the definitions The following parameters can be specified to set up seccomp: * **`defaultAction`** *(string, REQUIRED)* - the default action for seccomp. Allowed values are the same as `syscalls[].action`. +* **`defaultErrnoRet`** *(uint, OPTIONAL)* - the errno return code to use. + Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return. + When the action doesn't support an errno, the runtime MUST print and error and fail. + If not specified then its default value is `EPERM`. * **`architectures`** *(array of strings, OPTIONAL)* - the architecture used for system calls. A valid list of constants as of libseccomp v2.5.0 is shown below. diff --git a/schema/config-linux.json b/schema/config-linux.json index 83478cc9f..61468b9c7 100644 --- a/schema/config-linux.json +++ b/schema/config-linux.json @@ -203,6 +203,9 @@ "defaultAction": { "$ref": "defs-linux.json#/definitions/SeccompAction" }, + "defaultErrnoRet": { + "$ref": "defs.json#/definitions/uint32" + }, "flags": { "type": "array", "items": { diff --git a/specs-go/config.go b/specs-go/config.go index 40955144b..16eac6dd0 100644 --- a/specs-go/config.go +++ b/specs-go/config.go @@ -598,10 +598,11 @@ type VMImage struct { // LinuxSeccomp represents syscall restrictions type LinuxSeccomp struct { - DefaultAction LinuxSeccompAction `json:"defaultAction"` - Architectures []Arch `json:"architectures,omitempty"` - Flags []LinuxSeccompFlag `json:"flags,omitempty"` - Syscalls []LinuxSyscall `json:"syscalls,omitempty"` + DefaultAction LinuxSeccompAction `json:"defaultAction"` + DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"` + Architectures []Arch `json:"architectures,omitempty"` + Flags []LinuxSeccompFlag `json:"flags,omitempty"` + Syscalls []LinuxSyscall `json:"syscalls,omitempty"` } // Arch used for additional architectures