From fb794166d9406aefcb2ad0f5a2d7eeaa84181f80 Mon Sep 17 00:00:00 2001 From: Rodrigo Campos Date: Fri, 30 Jul 2021 16:47:17 +0200 Subject: [PATCH] seccomp: Use explicit DefaultErrnoRet Since commit "seccomp: Sync fields with runtime-spec fields" (5d244675bdb23e8fce427036c03517243f344cd4) we support to specify the DefaultErrnoRet to be used. Before that commit it was not specified and EPERM was used by default. This commit keeps the same behaviour but just makes it explicit that the default is EPERM. Signed-off-by: Rodrigo Campos --- profiles/seccomp/default.json | 1 + profiles/seccomp/default_linux.go | 4 +++- profiles/seccomp/fixtures/example.json | 1 + profiles/seccomp/seccomp_test.go | 4 +++- 4 files changed, 8 insertions(+), 2 deletions(-) diff --git a/profiles/seccomp/default.json b/profiles/seccomp/default.json index 2f14e58257..7ec75179ad 100644 --- a/profiles/seccomp/default.json +++ b/profiles/seccomp/default.json @@ -1,5 +1,6 @@ { "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 1, "archMap": [ { "architecture": "SCMP_ARCH_X86_64", diff --git a/profiles/seccomp/default_linux.go b/profiles/seccomp/default_linux.go index 5fa5fe59d2..4c45c242a7 100644 --- a/profiles/seccomp/default_linux.go +++ b/profiles/seccomp/default_linux.go @@ -739,9 +739,11 @@ func DefaultProfile() *Seccomp { }, } + errnoRet := uint(unix.EPERM) return &Seccomp{ LinuxSeccomp: specs.LinuxSeccomp{ - DefaultAction: specs.ActErrno, + DefaultAction: specs.ActErrno, + DefaultErrnoRet: &errnoRet, }, ArchMap: arches(), Syscalls: syscalls, diff --git a/profiles/seccomp/fixtures/example.json b/profiles/seccomp/fixtures/example.json index 21dea414d5..80c5a3152d 100644 --- a/profiles/seccomp/fixtures/example.json +++ b/profiles/seccomp/fixtures/example.json @@ -1,5 +1,6 @@ { "defaultAction": "SCMP_ACT_ERRNO", + "defaultErrnoRet": 1, "syscalls": [ { "name": "clone", diff --git a/profiles/seccomp/seccomp_test.go b/profiles/seccomp/seccomp_test.go index eb4b95cc45..9558d8c58b 100644 --- a/profiles/seccomp/seccomp_test.go +++ b/profiles/seccomp/seccomp_test.go @@ -23,8 +23,10 @@ func TestLoadProfile(t *testing.T) { t.Fatal(err) } var expectedErrno uint = 12345 + var expectedDefaultErrno uint = 1 expected := specs.LinuxSeccomp{ - DefaultAction: specs.ActErrno, + DefaultAction: specs.ActErrno, + DefaultErrnoRet: &expectedDefaultErrno, Syscalls: []specs.LinuxSyscall{ { Names: []string{"clone"},