Merge pull request opencontainers#1041 from giuseppe/seccomp-errno

vbatts · web-flow · commit 2086147713eb · 2020-05-11T12:22:11.000-04:00
seccomp: allow to override errno return code
diff --git a/config-linux.md b/config-linux.md
@@ -616,6 +616,10 @@ The following parameters can be specified to set up seccomp:
         * `SCMP_ACT_ALLOW`
         * `SCMP_ACT_LOG`
 
+    * **`errnoRet`** *(uint, OPTIONAL)* - the errno return code to use.
+        Some actions like `SCMP_ACT_ERRNO` and `SCMP_ACT_TRACE` allow to specify the errno
+        code to return. If not specified its default value is `EPERM`.
+
     * **`args`** *(array of objects, OPTIONAL)* - the specific syscall in seccomp.
         Each entry has the following structure:
 
diff --git a/schema/defs-linux.json b/schema/defs-linux.json
@@ -116,6 +116,9 @@
                 "action": {
                     "$ref": "#/definitions/SeccompAction"
                 },
+                "errnoRet": {
+                    "$ref": "defs.json#/definitions/uint32"
+                },
                 "args": {
                     "type": "array",
                     "items": {
diff --git a/specs-go/config.go b/specs-go/config.go
@@ -667,9 +667,10 @@ type LinuxSeccompArg struct {
 
 // LinuxSyscall is used to match a syscall in Seccomp
 type LinuxSyscall struct {
-	Names  []string           `json:"names"`
-	Action LinuxSeccompAction `json:"action"`
-	Args   []LinuxSeccompArg  `json:"args,omitempty"`
+	Names    []string           `json:"names"`
+	Action   LinuxSeccompAction `json:"action"`
+	ErrnoRet uint               `json:"errno"`
+	Args     []LinuxSeccompArg  `json:"args,omitempty"`
 }
 
 // LinuxIntelRdt has container runtime resource constraints for Intel RDT
