[hotfix] seccomp: default to -ENOSYS for SECCOMP_RET_ERRNO #2746
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This is a hotfix to make -ENOSYS the default errno if the default action is SECCOMP_RET_ERRNO. This is necessary because glibc cannot make use of newer syscalls if we block all unknown syscalls with -EPERM (our old behaviour). Unfortunately this is not an ideal solution (syscalls with complicated rules will now return -ENOSYS rather than -EPERM) but a complete solution will require far more work -- most likely a reimplementation of libseccomp to allow us to create custom BPF filters ourselves, or large changes to libseccomp to better accommodate our requirements -- and thus this hotfix was written to solve the immediate problem while we work on a more complete solution. Signed-off-by: Aleksa Sarai <[email protected]>
Signed-off-by: Aleksa Sarai <[email protected]>
|
@richfelker Maybe this PR (specifically the test program) better demonstrates why we need some way of either having inverse rules or another way of returning |
|
I've thought of a nicer solution to this problem, which I'll implement in a separate PR tomorrow. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a hotfix to make -ENOSYS the default errno if the default action
is SECCOMP_RET_ERRNO. This is necessary because glibc cannot make use of
newer syscalls if we block all unknown syscalls with -EPERM (our old
behaviour).
Unfortunately this is not an ideal solution (syscalls with complicated
rules will now return -ENOSYS rather than -EPERM) but a complete
solution will require far more work -- most likely a reimplementation of
libseccomp to allow us to create custom BPF filters ourselves, or large
changes to libseccomp to better accommodate our requirements -- and thus
this hotfix was written to solve the immediate problem while we work on
a more complete solution.
Fixes #2151
Signed-off-by: Aleksa Sarai [email protected]