seccomp profile: Default to ENOSYS instead of EPERM · stanislavlevin/freeipa@d0ed4f0

Commit

seccomp profile: Default to ENOSYS instead of EPERM

This allows application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.

More about motivation for ENOSYS over EPERM:
opencontainers/runc#2151
opencontainers/runc#2750

See about defaultErrnoRet introduction:
opencontainers/runtime-spec#1087

Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containers/common/pkg/seccomp/seccomp.json

Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json

Fixes: https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev@altlinux.org>

Loading branch information

stanislavlevin committed Oct 15, 2021

1 parent 47fbe05 commit d0ed4f0

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Commit

There are no files selected for viewing

0 comments on commit `d0ed4f0`

Commit

There are no files selected for viewing

0 comments on commit d0ed4f0

0 comments on commit `d0ed4f0`