seccomp: add support for defaultErrnoRet

giuseppe · giuseppe · commit adee333df76c · 2021-06-14T19:08:06.000+02:00
Add support to specify the default errno return value.

The OCI runtime specs already have support for it, and both crun (&gt;=
0.19) and runc (&gt;= 1.0-rc95) have support for it.

Signed-off-by: Giuseppe Scrivano &lt;gscrivan@redhat.com&gt;
diff --git a/pkg/seccomp/conversion.go b/pkg/seccomp/conversion.go
@@ -118,6 +118,7 @@ func specToSeccomp(spec *specs.LinuxSeccomp) (*Seccomp, error) {
 		return nil, errors.Wrap(err, "convert default action")
 	}
 	res.DefaultAction = newDefaultAction
+	res.DefaultErrnoRet = spec.DefaultErrnoRet
 
 	// Loop through all syscall blocks and convert them to the internal format
 	for _, call := range spec.Syscalls {
diff --git a/pkg/seccomp/filter.go b/pkg/seccomp/filter.go
@@ -41,7 +41,7 @@ func BuildFilter(spec *specs.LinuxSeccomp) (*libseccomp.ScmpFilter, error) {
 		return nil, errors.Wrap(err, "convert spec to seccomp profile")
 	}
 
-	defaultAction, err := toAction(profile.DefaultAction, nil)
+	defaultAction, err := toAction(profile.DefaultAction, profile.DefaultErrnoRet)
 	if err != nil {
 		return nil, errors.Wrapf(err, "convert default action %s", profile.DefaultAction)
 	}
diff --git a/pkg/seccomp/seccomp_linux.go b/pkg/seccomp/seccomp_linux.go
@@ -111,6 +111,7 @@ func setupSeccomp(config *Seccomp, rs *specs.Spec) (*specs.LinuxSeccomp, error)
 	}
 
 	newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)
+	newConfig.DefaultErrnoRet = config.DefaultErrnoRet
 
 Loop:
 	// Loop through all syscall blocks and convert them to libcontainer format after filtering them
diff --git a/pkg/seccomp/types.go b/pkg/seccomp/types.go
@@ -6,7 +6,8 @@ package seccomp
 
 // Seccomp represents the config for a seccomp profile for syscall restriction.
 type Seccomp struct {
-	DefaultAction Action `json:"defaultAction"`
+	DefaultAction   Action `json:"defaultAction"`
+	DefaultErrnoRet *uint  `json:"defaultErrnoRet"`
 	// Architectures is kept to maintain backward compatibility with the old
 	// seccomp profile.
 	Architectures []Arch         `json:"architectures,omitempty"`

Original file line number	Diff line number	Diff line change
`@@ -118,6 +118,7 @@ func specToSeccomp(spec specs.LinuxSeccomp) (Seccomp, error) {`
`118`	`118`	`return nil, errors.Wrap(err, "convert default action")`
`119`	`119`	`}`
`120`	`120`	`res.DefaultAction = newDefaultAction`
	`121`	`+ res.DefaultErrnoRet = spec.DefaultErrnoRet`
`121`	`122`
`122`	`123`	`// Loop through all syscall blocks and convert them to the internal format`
`123`	`124`	`for _, call := range spec.Syscalls {`
Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ func BuildFilter(spec specs.LinuxSeccomp) (libseccomp.ScmpFilter, error) {`
`41`	`41`	`return nil, errors.Wrap(err, "convert spec to seccomp profile")`
`42`	`42`	`}`
`43`	`43`
`44`		`- defaultAction, err := toAction(profile.DefaultAction, nil)`
	`44`	`+ defaultAction, err := toAction(profile.DefaultAction, profile.DefaultErrnoRet)`
`45`	`45`	`if err != nil {`
`46`	`46`	`return nil, errors.Wrapf(err, "convert default action %s", profile.DefaultAction)`
`47`	`47`	`}`
Original file line number	Diff line number	Diff line change
`@@ -111,6 +111,7 @@ func setupSeccomp(config Seccomp, rs specs.Spec) (*specs.LinuxSeccomp, error)`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`newConfig.DefaultAction = specs.LinuxSeccompAction(config.DefaultAction)`
	`114`	`+ newConfig.DefaultErrnoRet = config.DefaultErrnoRet`
`114`	`115`
`115`	`116`	`Loop:`
`116`	`117`	`// Loop through all syscall blocks and convert them to libcontainer format after filtering them`