merge branch 'pr-2954'

Giuseppe Scrivano (1):
  libcontainer: honor seccomp defaultErrnoRet

LGTMs: kolyshkin cyphar
Closes #2954

Author: cyphar

libcontainer/configs/config.go

@@ -31,9 +31,10 @@ type IDMap struct {
 // for syscalls. Additional architectures can be added by specifying them in
 // Architectures.
 type Seccomp struct {
-	DefaultAction Action     `json:"default_action"`
-	Architectures []string   `json:"architectures"`
-	Syscalls      []*Syscall `json:"syscalls"`
+	DefaultAction   Action     `json:"default_action"`
+	Architectures   []string   `json:"architectures"`
+	Syscalls        []*Syscall `json:"syscalls"`
+	DefaultErrnoRet *uint      `json:"default_errno_ret"`
 }
 
 // Action is taken upon rule match in Seccomp

libcontainer/seccomp/patchbpf/enosys_linux.go

@@ -523,6 +523,11 @@ func assemble(program []bpf.Instruction) ([]unix.SockFilter, error) {
 }
 
 func generatePatch(config *configs.Seccomp) ([]bpf.Instruction, error) {
+	// Patch the generated cBPF only when there is not a defaultErrnoRet set
+	// and it is different from ENOSYS
+	if config.DefaultErrnoRet != nil && *config.DefaultErrnoRet == uint(retErrnoEnosys) {
+		return nil, nil
+	}
 	// We only add the stub if the default action is not permissive.
 	if isAllowAction(config.DefaultAction) {
 		logrus.Debugf("seccomp: skipping -ENOSYS stub filter generation")

libcontainer/seccomp/seccomp_linux.go

@@ -36,7 +36,7 @@ func InitSeccomp(config *configs.Seccomp) error {
 		return errors.New("cannot initialize Seccomp - nil config passed")
 	}
 
-	defaultAction, err := getAction(config.DefaultAction, nil)
+	defaultAction, err := getAction(config.DefaultAction, config.DefaultErrnoRet)
 	if err != nil {
 		return errors.New("error initializing seccomp - invalid default action")
 	}

libcontainer/specconv/spec_linux.go

@@ -878,6 +878,7 @@ func SetupSeccomp(config *specs.LinuxSeccomp) (*configs.Seccomp, error) {
 		return nil, err
 	}
 	newConfig.DefaultAction = newDefaultAction
+	newConfig.DefaultErrnoRet = config.DefaultErrnoRet
 
 	// Loop through all syscall blocks and convert them to libcontainer format
 	for _, call := range config.Syscalls {

tests/integration/seccomp.bats

@@ -21,3 +21,15 @@ function teardown() {
 	runc run test_busybox
 	[ "$status" -eq 0 ]
 }
+
+@test "runc run [seccomp defaultErrnoRet=ENXIO]" {
+	TEST_NAME="seccomp_syscall_test2"
+
+	# Compile the test binary and update the config to run it.
+	gcc -static -o rootfs/seccomp_test2 "${TESTDATA}/${TEST_NAME}.c"
+	update_config ".linux.seccomp = $(<"${TESTDATA}/${TEST_NAME}.json")"
+	update_config '.process.args = ["/seccomp_test2"]'
+
+	runc run test_busybox
+	[ "$status" -eq 0 ]
+}

tests/integration/testdata/seccomp_syscall_test2.c

@@ -0,0 +1,12 @@
+#include <unistd.h>
+#include <errno.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+int main()
+{
+	if (chdir("/") < 0 && errno == ENXIO)
+		exit(EXIT_SUCCESS);
+	fprintf(stderr, "got errno=%m\n");
+	exit(EXIT_FAILURE);
+}