diff --git a/debian/changelog b/debian/changelog index f644f7e..d06dbd5 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +golang-github-opencontainers-specs (1.0.2.41.g7413a7f-1+deb11u1) bullseye; urgency=medium + + * Backport seccomp patches from upstream to allow execution of newer + syscalls, Closes: #994451 + + -- Reinhard Tartler Mon, 27 Sep 2021 12:12:47 -0400 + golang-github-opencontainers-specs (1.0.2.41.g7413a7f-1) unstable; urgency=medium * Team upload. diff --git a/debian/patches/override-default-errno-code.patch b/debian/patches/override-default-errno-code.patch new file mode 100644 index 0000000..de4f589 --- /dev/null +++ b/debian/patches/override-default-errno-code.patch @@ -0,0 +1,66 @@ +From f7ef278d1bbaa6f97b8ef511fad478a31e953290 Mon Sep 17 00:00:00 2001 +From: Giuseppe Scrivano +Date: Thu, 21 Jan 2021 13:20:57 +0100 +Subject: [PATCH] seccomp: allow to override default errno return code + +the specs already support overriding the errno code for the syscalls +but the default value is hardcoded to EPERM. + +Add a new attribute to override the default value. + +Signed-off-by: Giuseppe Scrivano +--- + config-linux.md | 4 ++++ + schema/config-linux.json | 3 +++ + specs-go/config.go | 9 +++++---- + 3 files changed, 12 insertions(+), 4 deletions(-) + +diff --git a/config-linux.md b/config-linux.md +index 3c9d77f5..9a515fbf 100644 +--- a/config-linux.md ++++ b/config-linux.md +@@ -594,6 +594,10 @@ The actions, architectures, and operators are strings that match the definitions + The following parameters can be specified to set up seccomp: + + * **`defaultAction`** *(string, REQUIRED)* - the default action for seccomp. Allowed values are the same as `syscalls[].action`. ++* **`defaultErrnoRet`** *(uint, OPTIONAL)* - the errno return code to use. ++ Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno code to return. ++ When the action doesn't support an errno, the runtime MUST print and error and fail. ++ If not specified then its default value is `EPERM`. + * **`architectures`** *(array of strings, OPTIONAL)* - the architecture used for system calls. + A valid list of constants as of libseccomp v2.5.0 is shown below. + +diff --git a/schema/config-linux.json b/schema/config-linux.json +index 83478cc9..61468b9c 100644 +--- a/schema/config-linux.json ++++ b/schema/config-linux.json +@@ -203,6 +203,9 @@ + "defaultAction": { + "$ref": "defs-linux.json#/definitions/SeccompAction" + }, ++ "defaultErrnoRet": { ++ "$ref": "defs.json#/definitions/uint32" ++ }, + "flags": { + "type": "array", + "items": { +diff --git a/specs-go/config.go b/specs-go/config.go +index 40955144..16eac6dd 100644 +--- a/specs-go/config.go ++++ b/specs-go/config.go +@@ -598,10 +598,11 @@ type VMImage struct { + + // LinuxSeccomp represents syscall restrictions + type LinuxSeccomp struct { +- DefaultAction LinuxSeccompAction `json:"defaultAction"` +- Architectures []Arch `json:"architectures,omitempty"` +- Flags []LinuxSeccompFlag `json:"flags,omitempty"` +- Syscalls []LinuxSyscall `json:"syscalls,omitempty"` ++ DefaultAction LinuxSeccompAction `json:"defaultAction"` ++ DefaultErrnoRet *uint `json:"defaultErrnoRet,omitempty"` ++ Architectures []Arch `json:"architectures,omitempty"` ++ Flags []LinuxSeccompFlag `json:"flags,omitempty"` ++ Syscalls []LinuxSyscall `json:"syscalls,omitempty"` + } + + // Arch used for additional architectures diff --git a/debian/patches/series b/debian/patches/series new file mode 100644 index 0000000..cd75fd3 --- /dev/null +++ b/debian/patches/series @@ -0,0 +1 @@ +override-default-errno-code.patch