Skip to content

Commit

Permalink
config-linux: Default should be ENOSYS.
Browse files Browse the repository at this point in the history 
On Linux the major C libraries expect that syscalls that are
blocked from running in the container runtime return ENOSYS
to allow fallbacks to be used. Returning EPERM by default is
not useful particularly for syscalls that would return EPERM
for actual access restrictions e.g. the new faccessat2.

The runtime-spec should set the standard and recommend ENOSYS
be returned just like a kernel would that doesn't support that
syscall. This allows C runtimes to fall back on other possible
implementations given the userspace policies.

Please see the upstream discussions:
https://lwn.net/Articles/738694/
- Discusses fragility of syscall filtering.
opencontainers/runc#2151
- glibc and musl request ENOSYS return for unknown syscalls.
systemd/systemd#16739
- Discusses systemd-nspawn breakage with faccessat2.
systemd/systemd#16819
- General policy for systemd-nspawn to return ENOSYS.
seccomp/libseccomp#286
- Block unknown syscalls and erturn ENOSYS.
  • Loading branch information
@codonell
codonell committed Nov 17, 2020
1 parent f1164e5 commit f87e729
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion config-linux.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -646,7 +646,7 @@ The following parameters can be specified to set up seccomp:

* **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno
code to return. If not specified its default value is `EPERM`.
code to return. If not specified its default value is `ENOSYS`.

* **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp.
Each entry has the following structure:
Expand Down

0 comments on commit f87e729

Please sign in to comment.