config-linux: Default should be ENOSYS.

On Linux the major C libraries expect that syscalls that are blocked from running in the container runtime return ENOSYS to allow fallbacks to be used. Returning EPERM by default is not useful particularly for syscalls that would return EPERM for actual access restrictions e.g. the new faccessat2. The runtime-spec should set the standard and recommend ENOSYS be returned just like a kernel would that doesn't support that syscall. This allows C runtimes to fall back on other possible implementations given the userspace policies. Please see the upstream discussions: https://lwn.net/Articles/738694/ - Discusses fragility of syscall filtering. opencontainers/runc#2151 - glibc and musl request ENOSYS return for unknown syscalls. systemd/systemd#16739 - Discusses systemd-nspawn breakage with faccessat2. systemd/systemd#16819 - General policy for systemd-nspawn to return ENOSYS. seccomp/libseccomp#286 - Block unknown syscalls and return ENOSYS.
codonell · Nov 17, 2020 · ed96cad · ed96cad · cyphar · Nov 24, 2020
1 parent f1164e5
commit ed96cad
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/config-linux.md b/config-linux.md
@@ -646,7 +646,7 @@ The following parameters can be specified to set up seccomp:
 
  * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
  Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno
- code to return. If not specified its default value is `EPERM`.
+ code to return. If not specified its default value is `ENOSYS`.
 
  * **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp.
  Each entry has the following structure: