system: treat kernel/libc errors as ECANCELED

It is likely a fools errand to try and provide kernel and libc errno
guarantees across different architectures, kernels, and libc
implementations so let's just punt on the problem and dump all of
these errors into the ECANCELED bucket.

Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

4 files changed, 14 insertions, 13 deletions

diff --git a/src/api.c b/src/api.c
index 77dc290..961c3f8 100644
--- a/src/api.c
+++ b/src/api.c
@@ -610,7 +610,7 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd)
 	rc = write(fd, program->blks, BPF_PGM_SIZE(program));
 	gen_bpf_release(program);
 	if (rc < 0)
-		return -errno;
+		return -ECANCELED;
 
 	return 0;
 }
diff --git a/src/gen_pfc.c b/src/gen_pfc.c
index 767845f..3c644c2 100644
--- a/src/gen_pfc.c
+++ b/src/gen_pfc.c
@@ -469,18 +469,17 @@ arch_return:
  */
 int gen_pfc_generate(const struct db_filter_col *col, int fd)
 {
-	int rc = 0;
 	int newfd;
 	unsigned int iter;
 	FILE *fds;
 
 	newfd = dup(fd);
 	if (newfd < 0)
-		return errno;
+		return -ECANCELED;
 	fds = fdopen(newfd, "a");
 	if (fds == NULL) {
 		close(newfd);
-		return errno;
+		return -ECANCELED;
 	}
 
 	/* generate the pfc */
@@ -501,5 +500,5 @@ int gen_pfc_generate(const struct db_filter_col *col, int fd)
 	fflush(fds);
 	fclose(fds);
 
-	return rc;
+	return 0;
 }
diff --git a/src/system.c b/src/system.c
index ce7cb43..d73aaef 100644
--- a/src/system.c
+++ b/src/system.c
@@ -328,7 +328,7 @@ int sys_filter_load(struct db_filter_col *col)
 		rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm);
 		if (rc > 0 && col->attr.tsync_enable)
 			/* always return -ESRCH if we fail to sync threads */
-			errno = ESRCH;
+			rc = -ESRCH;
 		if (rc > 0 && _support_seccomp_user_notif > 0) {
 			/* return 0 on NEW_LISTENER success, but save the fd */
 			col->notify_fd = rc;
@@ -340,8 +340,10 @@ int sys_filter_load(struct db_filter_col *col)
 filter_load_out:
 	/* cleanup and return */
 	gen_bpf_release(prgm);
+	if (rc == -ESRCH)
+		return -ESRCH;
 	if (rc < 0)
-		return -errno;
+		return -ECANCELED;
 	return rc;
 }
 
@@ -357,7 +359,7 @@ int sys_notify_alloc(struct seccomp_notif **req,
 	if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) {
 		rc = syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes);
 		if (rc < 0)
-			return -errno;
+			return -ECANCELED;
 	}
 	if (sizes.seccomp_notif == 0 || sizes.seccomp_notif_resp == 0)
 		return -EFAULT;
@@ -386,7 +388,7 @@ int sys_notify_receive(int fd, struct seccomp_notif *req)
 		return -EOPNOTSUPP;
 
 	if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0)
-		return -errno;
+		return -ECANCELED;
 
 	return 0;
 }
@@ -397,7 +399,7 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp)
 		return -EOPNOTSUPP;
 
 	if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0)
-		return -errno;
+		return -ECANCELED;
 	return 0;
 }
 
@@ -407,6 +409,6 @@ int sys_notify_id_valid(int fd, uint64_t id)
 		return -EOPNOTSUPP;
 
 	if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0)
-		return -errno;
+		return -ENOENT;
 	return 0;
 }
diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c
index a41b7b5..bb33f42 100644
--- a/tests/11-basic-basic_errors.c
+++ b/tests/11-basic-basic_errors.c
@@ -151,7 +151,7 @@ int main(int argc, char *argv[])
 		return -1;
 	else {
 		rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX) - 1);
-		if (rc != EBADF)
+		if (rc != -ECANCELED)
 			return -1;
 	}
 	seccomp_release(ctx);
@@ -167,7 +167,7 @@ int main(int argc, char *argv[])
 		return -1;
 	else {
 		rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX) - 1);
-		if (rc != -EBADF)
+		if (rc != -ECANCELED)
 			return -1;
 	}
 	seccomp_release(ctx);