From e81ebb1200397b05698f502674926c9f037fed51 Mon Sep 17 00:00:00 2001 From: Giuseppe Scrivano Date: Mon, 24 May 2021 12:33:14 +0200 Subject: [PATCH 1/4] seccomp: add support for defaultErrnoRet Add support to specify the default errno return value. The OCI runtime specs already have support for it, and both crun (>= 0.19) and runc (>= 1.0-rc95) have support for it. Signed-off-by: Giuseppe Scrivano (cherry picked from commit adee333df76c02d99c740cf82cdf6074cade49b9) Signed-off-by: Kir Kolyshkin --- pkg/seccomp/conversion.go | 1 + pkg/seccomp/filter.go | 2 +- pkg/seccomp/seccomp_linux.go | 1 + pkg/seccomp/types.go | 3 ++- 4 files changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/seccomp/conversion.go b/pkg/seccomp/conversion.go index dfab381a5..4c25cb1b1 100644 --- a/pkg/seccomp/conversion.go +++ b/pkg/seccomp/conversion.go @@ -118,6 +118,7 @@ func specToSeccomp(spec *specs.LinuxSeccomp) (*Seccomp, error) { return nil, errors.Wrap(err, "convert default action") } res.DefaultAction = newDefaultAction + res.DefaultErrnoRet = spec.DefaultErrnoRet // Loop through all syscall blocks and convert them to the internal format for _, call := range spec.Syscalls { diff --git a/pkg/seccomp/filter.go b/pkg/seccomp/filter.go index ac9b2698f..90da99f0a 100644 --- a/pkg/seccomp/filter.go +++ b/pkg/seccomp/filter.go @@ -41,7 +41,7 @@ func BuildFilter(spec *specs.LinuxSeccomp) (*libseccomp.ScmpFilter, error) { return nil, errors.Wrap(err, "convert spec to seccomp profile") } - defaultAction, err := toAction(profile.DefaultAction, nil) + defaultAction, err := toAction(profile.DefaultAction, profile.DefaultErrnoRet) if err != nil { return nil, errors.Wrapf(err, "convert default action %s", profile.DefaultAction) } diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go index 19500cc97..af36b9990 100644 --- a/pkg/seccomp/seccomp_linux.go +++ b/pkg/seccomp/seccomp_linux.go @@ -111,6 +111,7 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error) } newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction) + newConfig.DefaultErrnoRet = config.DefaultErrnoRet Loop: // Loop through all syscall blocks and convert them to libcontainer format after filtering them diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go index 7b0436dfc..36712458a 100644 --- a/pkg/seccomp/types.go +++ b/pkg/seccomp/types.go @@ -6,7 +6,8 @@ package seccomp // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { - DefaultAction Action `json:"defaultAction"` + DefaultAction Action `json:"defaultAction"` + DefaultErrnoRet *uint `json:"defaultErrnoRet"` // Architectures is kept to maintain backward compatibility with the old // seccomp profile. Architectures []Arch `json:"architectures,omitempty"` From 8cb3d73bc2d6c76ecf1a458f9863c559d3439686 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 23 Jul 2021 16:50:10 -0700 Subject: [PATCH 2/4] pkg/seccomp: avoid DefaultErrnoRet: null This prevents "defaultErrnoRet": null, from appearing in seccomp.json. This member is similar to ErrnoRet in type Syscall, and should also be marked with omitempty. Signed-off-by: Kir Kolyshkin --- pkg/seccomp/types.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go index 36712458a..07751f729 100644 --- a/pkg/seccomp/types.go +++ b/pkg/seccomp/types.go @@ -7,7 +7,7 @@ package seccomp // Seccomp represents the config for a seccomp profile for syscall restriction. type Seccomp struct { DefaultAction Action `json:"defaultAction"` - DefaultErrnoRet *uint `json:"defaultErrnoRet"` + DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"` // Architectures is kept to maintain backward compatibility with the old // seccomp profile. Architectures []Arch `json:"architectures,omitempty"` From 13c470a893f31d9136bc5dad55bcb80d49d817d5 Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 23 Jul 2021 16:21:47 -0700 Subject: [PATCH 3/4] v0.38.17 * pkg/seccomp: add support for default errno return value. Signed-off-by: Kir Kolyshkin --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index 6e8b6224d..8655c77cd 100644 --- a/version/version.go +++ b/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.38.17-dev" +const Version = "0.38.17" From f09951c25b566ed33337110c9046bfabf0953c7b Mon Sep 17 00:00:00 2001 From: Kir Kolyshkin Date: Fri, 23 Jul 2021 16:23:12 -0700 Subject: [PATCH 4/4] version: bump to v0.38.18-dev Signed-off-by: Kir Kolyshkin --- version/version.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/version/version.go b/version/version.go index 8655c77cd..49e0319f6 100644 --- a/version/version.go +++ b/version/version.go @@ -1,4 +1,4 @@ package version // Version is the version of the build. -const Version = "0.38.17" +const Version = "0.38.18-dev"