all: handle EINTR and ENOENT

The go runtime can interrupt the program quite frequently with SIGURG
(this is exacerbated in go >= 1.14). For that reason, if these C
function return code is not 0 and errno is set to EINTR, we run them
again transparently for the user.

Also, it is possible that errno is set to ENOENT by the ioctl() syscall
done underneath, and what this means is that the notification is not
valid anymore (the kernel sets that). For users of this library to know
when this notification is not valid anymore, we return it in this case
too. This was useful for us to properly react to different failures in
our seccomp agent in golang.

To do this we can't rely on the return code from libseccomp, and need to
check the errno, because libseccomp returns fixed codes for errors.
Like, for example here[1], but it does this for the other functions
changed here too.

These issues were reported to libseccomp here:
	seccomp/libseccomp#302.

[1]: https://github.com/seccomp/libseccomp/blob/main/src/system.c#L501-L502

Signed-off-by: Rodrigo Campos <[email protected]>
Acked-by: Tom Hromatka <[email protected]>
Signed-off-by: Paul Moore <[email protected]>

Author: rata

seccomp_internal.go

@@ -765,7 +765,20 @@ func notifReceive(fd ScmpFd) (*ScmpNotifReq, error) {
 		C.seccomp_notify_free(req, resp)
 	}()
 
-	if retCode := C.seccomp_notify_receive(C.int(fd), req); retCode != 0 {
+	for {
+		retCode, errno := C.seccomp_notify_receive(C.int(fd), req)
+		if retCode == 0 {
+			break
+		}
+
+		if errno == syscall.EINTR {
+			continue
+		}
+
+		if errno == syscall.ENOENT {
+			return nil, errno
+		}
+
 		return nil, errRc(retCode)
 	}
 
@@ -793,7 +806,20 @@ func notifRespond(fd ScmpFd, scmpResp *ScmpNotifResp) error {
 
 	scmpResp.toNative(resp)
 
-	if retCode := C.seccomp_notify_respond(C.int(fd), resp); retCode != 0 {
+	for {
+		retCode, errno := C.seccomp_notify_respond(C.int(fd), resp)
+		if retCode == 0 {
+			break
+		}
+
+		if errno == syscall.EINTR {
+			continue
+		}
+
+		if errno == syscall.ENOENT {
+			return errno
+		}
+
 		return errRc(retCode)
 	}
 
@@ -807,8 +833,22 @@ func notifIDValid(fd ScmpFd, id uint64) error {
 		return fmt.Errorf("seccomp notification requires API level >= 6; current level = %d", apiLevel)
 	}
 
-	if retCode := C.seccomp_notify_id_valid(C.int(fd), C.uint64_t(id)); retCode != 0 {
+	for {
+		retCode, errno := C.seccomp_notify_id_valid(C.int(fd), C.uint64_t(id))
+		if retCode == 0 {
+			break
+		}
+
+		if errno == syscall.EINTR {
+			continue
+		}
+
+		if errno == syscall.ENOENT {
+			return errno
+		}
+
 		return errRc(retCode)
 	}
+
 	return nil
 }