From 3bfcde28eab5d7e107ddd3771fc92399332932a8 Mon Sep 17 00:00:00 2001
From: Giuseppe Scrivano <gscrivan@redhat.com>
Date: Thu, 7 May 2020 12:31:06 +0200
Subject: [PATCH] seccomp: allow to override errno return code

some seccomp actions allow to specify the errno code returned for the
syscall.

Add a new attribute to the seccomp syscall so the default EPERM can be
overriden.

Signed-off-by: Giuseppe Scrivano <gscrivan@redhat.com>
---
 config-linux.md        | 4 ++++
 schema/defs-linux.json | 3 +++
 specs-go/config.go     | 7 ++++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/config-linux.md b/config-linux.md
index 368bf2856..8a1edd7fa 100644
--- a/config-linux.md
+++ b/config-linux.md
@@ -616,6 +616,10 @@ The following parameters can be specified to set up seccomp:
         * `SCMP_ACT_ALLOW`
         * `SCMP_ACT_LOG`
 
+    * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
+        Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno
+        code to return. If not specified its default value is `EPERM`.
+
     * **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp.
         Each entry has the following structure:
 
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
index f011b72bd..206a1fa1a 100644
--- a/schema/defs-linux.json
+++ b/schema/defs-linux.json
@@ -116,6 +116,9 @@
                 "action": {
                     "$ref": "#/definitions/SeccompAction"
                 },
+                "errnoRet": {
+                    "$ref": "defs.json#/definitions/uint32"
+                },
                 "args": {
                     "type": "array",
                     "items": {
diff --git a/specs-go/config.go b/specs-go/config.go
index c7c7c3d08..6fa501c34 100644
--- a/specs-go/config.go
+++ b/specs-go/config.go
@@ -667,9 +667,10 @@ type LinuxSeccompArg struct {
 
 // LinuxSyscall is used to match a syscall in Seccomp
 type LinuxSyscall struct {
-	Names  []string           `json:"names"`
-	Action LinuxSeccompAction `json:"action"`
-	Args   []LinuxSeccompArg  `json:"args,omitempty"`
+	Names    []string           `json:"names"`
+	Action   LinuxSeccompAction `json:"action"`
+	ErrnoRet uint               `json:"errno"`
+	Args     []LinuxSeccompArg  `json:"args,omitempty"`
 }
 
 // LinuxIntelRdt has container runtime resource constraints for Intel RDT