[Backport][ipa-4-9] seccomp profile: Default to ENOSYS instead of EPERM #6052
Commits on Oct 18, 2021
-
seccomp profile: Default to ENOSYS instead of EPERM
This allows application to detect whether the kernel supports syscall or not. Previously, an error was unconditionally EPERM. There are many issues about glibc failed with new syscalls in containerized environments if their host run on old kernel. More about motivation for ENOSYS over EPERM: opencontainers/runc#2151 opencontainers/runc#2750 See about defaultErrnoRet introduction: opencontainers/runtime-spec#1087 Previously, FreeIPA profile was vendored from https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json Now it is merged directly from https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json Fixes: https://pagure.io/freeipa/issue/9008 Signed-off-by: Stanislav Levin <slev@altlinux.org>
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.