seccomp: Use explicit DefaultErrnoRet

Since commit "seccomp: Sync fields with runtime-spec fields" (5d244675bd) we support to specify the DefaultErrnoRet to be used. Before that commit it was not specified and EPERM was used by default. This commit keeps the same behaviour but just makes it explicit that the default is EPERM. Signed-off-by: Rodrigo Campos <rodrigo@kinvolk.io>
2021-07-30 16:47:17 +02:00 · 2021-07-30 16:47:17 +02:00 · fb794166d9
commit fb794166d9
parent 1f42dd5e91
4 changed files with 8 additions and 2 deletions
--- a/profiles/seccomp/default.json
+++ b/profiles/seccomp/default.json
@ -1,5 +1,6 @@
 {
 	"defaultAction": "SCMP_ACT_ERRNO",
+	"defaultErrnoRet": 1,
 	"archMap": [
 		{
 			"architecture": "SCMP_ARCH_X86_64",
--- a/profiles/seccomp/default_linux.go
+++ b/profiles/seccomp/default_linux.go
@ -739,9 +739,11 @@ func DefaultProfile() *Seccomp {
 		},
 	}

+	errnoRet := uint(unix.EPERM)
 	return &Seccomp{
 		LinuxSeccomp: specs.LinuxSeccomp{
-			DefaultAction: specs.ActErrno,
+			DefaultAction:   specs.ActErrno,
+			DefaultErrnoRet: &errnoRet,
 		},
 		ArchMap:  arches(),
 		Syscalls: syscalls,
--- a/profiles/seccomp/fixtures/example.json
+++ b/profiles/seccomp/fixtures/example.json
@ -1,5 +1,6 @@
 {
    "defaultAction": "SCMP_ACT_ERRNO",
+    "defaultErrnoRet": 1,
    "syscalls": [
        {
            "name": "clone",
--- a/profiles/seccomp/seccomp_test.go
+++ b/profiles/seccomp/seccomp_test.go
@ -23,8 +23,10 @@ func TestLoadProfile(t *testing.T) {
 		t.Fatal(err)
 	}
 	var expectedErrno uint = 12345
+	var expectedDefaultErrno uint = 1
 	expected := specs.LinuxSeccomp{
-		DefaultAction: specs.ActErrno,
+		DefaultAction:   specs.ActErrno,
+		DefaultErrnoRet: &expectedDefaultErrno,
 		Syscalls: []specs.LinuxSyscall{
 			{
 				Names:  []string{"clone"},