seccomp: Use explicit DefaultErrnoRet #42649
Conversation
|
@thaJeztah oh, nice PR. I was thinking to open an issue about doing something like that. Feel free to close this and cherry-pick the commit, then! Let me know if you prefer that or if I should polish this PR. Both options are fine for me :) |
|
If you don't mind the rebase (if my PR gets accepted, and merged first), then I'd say; keep this one open 👍 they're addressing different things, so it makes sense to review/merge separately. |
rata
force-pushed
the
rata/seccomp-default-errno
branch
from
f0b7385
to
54182f8
Compare
|
@thaJeztah thanks a lot! I've just rebased on latest master, completed the PR description template and addressed the comments (I think :)). I've also run Let me know if there is anything else missing! Thanks again |
rata
force-pushed
the
rata/seccomp-default-errno
branch
from
54182f8
to
cc607e7
Compare
|
The CI failure seems unrelated to this PR, IIUC. |
rata
force-pushed
the
rata/seccomp-default-errno
branch
from
cc607e7
to
eced734
Compare
|
@thaJeztah @justincormack PTAL. Now it is only one commit, brain fart on my end, it is not needed to change files in I did add the Please let me know what you think, sorry for the brain fart! :) |
|
So, switching the default to ENOSYS is probably a good thing overall (given that clone3 was missed with the seccomp update it seems the runc behaviour is suboptimal -- though in fairness we are fairly restrained by libseccomp limitations). However, there should be some inverse rules defined to return EPERM for syscalls that are explicitly being blocked (unfortunately due to libseccomp limitations some rules cannot be inverted, but most of the rules Docker uses can be -- I know some podman ones can't though). |
|
@cyphar thanks! The idea is to first add the Once this is merged I was planning to open an issue to discuss this, I can cc you when creating the issue :) |
Since commit "seccomp: Sync fields with runtime-spec fields" (5d24467) we support to specify the DefaultErrnoRet to be used. Before that commit it was not specified and EPERM was used by default. This commit keeps the same behaviour but just makes it explicit that the default is EPERM. Signed-off-by: Rodrigo Campos <[email protected]>
rata
force-pushed
the
rata/seccomp-default-errno
branch
from
eced734
to
fb79416
Compare
Oh sorry I misread the title of the PR. Yeah that sounds good to me -- sorry for the noise! |
Since commit "seccomp: Sync fields with runtime-spec fields"
(5d24467) we support to specify the
DefaultErrnoRet to be used.
Before that commit it was not specified and EPERM was used by default.
This commit keeps the same behaviour but just makes it explicit that the
default is EPERM.
Signed-off-by: Rodrigo Campos [email protected]
This a follow-up of #42604 (comment), as suggested by @thaJeztah. This just adds an explicit default to EPERM. Right now the default is EPERM but is implicit.
- What I did
Added the field
DefaultErrnoRetto seccomp profiles- How I did it
Added the field to default profile in
profiles/seccomp/default_linux.go, then adjusted the tests to expect this new field- How to verify it
You can run unit tests with:
TESTDIRS='github.com/docker/docker/profiles/seccomp' make test-unit.You can also run
hack/validate/default-seccompto verify nothing was missing in the changes.- Description for the changelog
Add an explicit DefaultErrnoRet field in the default seccomp profile. No behavior change.
- A picture of a cute animal (not mandatory but encouraged)
