From adee333df76c02d99c740cf82cdf6074cade49b9 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 24 May 2021 12:33:14 +0200 Subject: [PATCH] seccomp: add support for defaultErrnoRet Add support to specify the default errno return value. The OCI runtime specs already have support for it, and both crun (>= 0.19) and runc (>= 1.0-rc95) have support for it. Signed-off-by: Giuseppe Scrivano --- pkg/seccomp/conversion.go | 1 + pkg/seccomp/filter.go | 2 +- pkg/seccomp/seccomp_linux.go | 1 + pkg/seccomp/types.go | 3 ++- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/seccomp/conversion.go b/pkg/seccomp/conversion.go index dfab381a5..4c25cb1b1 100644 --- a/pkg/seccomp/conversion.go +++ b/pkg/seccomp/conversion.go @@ -118,6 +118,7 @@ func specToSeccomp(spec *specs.LinuxSeccomp) (*Seccomp, error) { return nil, errors.Wrap(err, "convert default action") } res.DefaultAction = newDefaultAction + res.DefaultErrnoRet = spec.DefaultErrnoRet // Loop through all syscall blocks and convert them to the internal format for _, call := range spec.Syscalls { diff --git a/pkg/seccomp/filter.go b/pkg/seccomp/filter.go index ac9b2698f..90da99f0a 100644 --- a/pkg/seccomp/filter.go +++ b/pkg/seccomp/filter.go @@ -41,7 +41,7 @@ func BuildFilter(spec *specs.LinuxSeccomp) (*libseccomp.ScmpFilter, error) { return nil, errors.Wrap(err, "convert spec to seccomp profile") } - defaultAction, err := toAction(profile.DefaultAction, nil) + defaultAction, err := toAction(profile.DefaultAction, profile.DefaultErrnoRet) if err != nil { return nil, errors.Wrapf(err, "convert default action %s", profile.DefaultAction) } diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go index 19500cc97..af36b9990 100644 --- a/pkg/seccomp/seccomp_linux.go +++ b/pkg/seccomp/seccomp_linux.go @@ -111,6 +111,7 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) } newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) + newConfig.DefaultErrnoRet = config.DefaultErrnoRet Loop: // Loop through all syscall blocks and convert them to libcontainer format after filtering them diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go index 7b0436dfc..36712458a 100644 --- a/pkg/seccomp/types.go +++ b/pkg/seccomp/types.go @@ -6,7 +6,8 @@ package seccomp // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { - DefaultAction Action `json:"defaultAction"` + DefaultAction Action `json:"defaultAction"` + DefaultErrnoRet *uint `json:"defaultErrnoRet"` // Architectures is kept to maintain backward compatibility with the old // seccomp profile. Architectures []Arch `json:"architectures,omitempty"`