From f87e729ebbe94ee8e012ff04283b8e670f0569da Mon Sep 17 00:00:00 2001 From: Carlos O'Donell Date: Tue, 17 Nov 2020 08:41:09 -0500 Subject: [PATCH] config-linux: Default should be ENOSYS. On Linux the major C libraries expect that syscalls that are blocked from running in the container runtime return ENOSYS to allow fallbacks to be used. Returning EPERM by default is not useful particularly for syscalls that would return EPERM for actual access restrictions e.g. the new faccessat2. The runtime-spec should set the standard and recommend ENOSYS be returned just like a kernel would that doesn't support that syscall. This allows C runtimes to fall back on other possible implementations given the userspace policies. Please see the upstream discussions: https://lwn.net/Articles/738694/ - Discusses fragility of syscall filtering. https://github.com/opencontainers/runc/issues/2151 - glibc and musl request ENOSYS return for unknown syscalls. https://github.com/systemd/systemd/pull/16739 - Discusses systemd-nspawn breakage with faccessat2. https://github.com/systemd/systemd/pull/16819 - General policy for systemd-nspawn to return ENOSYS. https://github.com/seccomp/libseccomp/issues/286 - Block unknown syscalls and erturn ENOSYS. --- config-linux.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config-linux.md b/config-linux.md index 9ea44a0e1..19278e111 100644 --- a/config-linux.md +++ b/config-linux.md @@ -646,7 +646,7 @@ The following parameters can be specified to set up seccomp: * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use. Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno - code to return. If not specified its default value is `EPERM`. + code to return. If not specified its default value is `ENOSYS`. * **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp. Each entry has the following structure: