api: add the SCMP_FLTATR_API_SYSRAWRC filter attribute

See the manpage additions as part of this patch, but the basic idea
is that when this attribute is non-zero we make every effort to
convey the system's errno value back to the caller when something
goes wrong in libc or the kernel.  It is important to note from a
support perspective that our ability to support callers who make use
of this attribute will be diminished as the libc and kernel errno
values are beyond libseccomp's control.

If the attribute is zero, the library hides all of the system
failures under -ECANCELED.

Acked-by: Tom Hromatka <tom.hromatka@oracle.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

7 files changed, 151 insertions, 2 deletions

diff --git a/tests/.gitignore b/tests/.gitignore
index b51acc3..59eb15c 100644
--- a/tests/.gitignore
+++ b/tests/.gitignore
@@ -62,3 +62,4 @@ util.pyc
 54-live-binary_tree
 55-basic-pfc_binary_tree
 56-basic-iterate_syscalls
+57-basic-rawsysrc
diff --git a/tests/13-basic-attrs.c b/tests/13-basic-attrs.c
index e7b14f0..e3c5881 100644
--- a/tests/13-basic-attrs.c
+++ b/tests/13-basic-attrs.c
@@ -120,6 +120,28 @@ int main(int argc, char *argv[])
 		goto out;
 	}
 
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_attr_get(ctx, SCMP_FLTATR_CTL_OPTIMIZE, &val);
+	if (rc != 0)
+		goto out;
+	if (val != 2) {
+		rc = -1;
+		goto out;
+	}
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1);
+	if (rc != 0)
+		goto out;
+	rc = seccomp_attr_get(ctx, SCMP_FLTATR_API_SYSRAWRC, &val);
+	if (rc != 0)
+		goto out;
+	if (val != 1) {
+		rc = -1;
+		goto out;
+	}
+
 	rc = 0;
 out:
 	seccomp_release(ctx);
diff --git a/tests/13-basic-attrs.py b/tests/13-basic-attrs.py
index 0435ded..48c25a0 100755
--- a/tests/13-basic-attrs.py
+++ b/tests/13-basic-attrs.py
@@ -58,6 +58,9 @@ def test():
     f.set_attr(Attr.CTL_OPTIMIZE, 2)
     if f.get_attr(Attr.CTL_OPTIMIZE) != 2:
         raise RuntimeError("Failed getting Attr.CTL_OPTIMIZE")
+    f.set_attr(Attr.API_SYSRAWRC, 1)
+    if f.get_attr(Attr.API_SYSRAWRC) != 1:
+        raise RuntimeError("Failed getting Attr.API_SYSRAWRC")
 
 test()
 
diff --git a/tests/57-basic-rawsysrc.c b/tests/57-basic-rawsysrc.c
new file mode 100644
index 0000000..4248c7a
--- /dev/null
+++ b/tests/57-basic-rawsysrc.c
@@ -0,0 +1,64 @@
+/**
+ * Seccomp Library test program
+ *
+ * Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com>
+ * Author: Paul Moore <paul@paul-moore.com>
+ */
+
+/*
+ * This library is free software; you can redistribute it and/or modify it
+ * under the terms of version 2.1 of the GNU Lesser General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This library is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+ * for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public License
+ * along with this library; if not, see <http://www.gnu.org/licenses>.
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <unistd.h>
+#include <sys/types.h>
+#include <sys/stat.h>
+
+#include <seccomp.h>
+
+#include "util.h"
+
+int main(int argc, char *argv[])
+{
+	int rc;
+	int fd;
+	scmp_filter_ctx ctx = NULL;
+
+	rc = seccomp_api_set(3);
+	if (rc != 0)
+		return EOPNOTSUPP;
+
+	ctx = seccomp_init(SCMP_ACT_ALLOW);
+	if (ctx == NULL) {
+		rc = ENOMEM;
+		goto out;
+	}
+
+	rc = seccomp_attr_set(ctx, SCMP_FLTATR_API_SYSRAWRC, 1);
+	if (rc != 0)
+		goto out;
+
+	/* we must use a closed/invalid fd for this to work */
+	fd = dup(2);
+	close(fd);
+	rc = seccomp_export_pfc(ctx, fd);
+	if (rc == -EBADF)
+		rc = 0;
+	else
+		rc = -1;
+
+out:
+	seccomp_release(ctx);
+	return (rc < 0 ? -rc : rc);
+}
diff --git a/tests/57-basic-rawsysrc.py b/tests/57-basic-rawsysrc.py
new file mode 100755
index 0000000..a88461a
--- /dev/null
+++ b/tests/57-basic-rawsysrc.py
@@ -0,0 +1,46 @@
+#!/usr/bin/env python
+
+#
+# Seccomp Library test program
+#
+# Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+#
+# This library is free software; you can redistribute it and/or modify it
+# under the terms of version 2.1 of the GNU Lesser General Public License as
+# published by the Free Software Foundation.
+#
+# This library is distributed in the hope that it will be useful, but WITHOUT
+# ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+# FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Lesser General Public License
+# for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with this library; if not, see <http://www.gnu.org/licenses>.
+#
+
+import argparse
+import sys
+import os
+
+import util
+
+from seccomp import *
+
+def test():
+    # this test really isn't conclusive, but considering how python does error
+    # handling it may be the best we can do
+    f = SyscallFilter(ALLOW)
+    dummy = open("/dev/null", "w")
+    os.close(dummy.fileno())
+    try:
+        f = f.export_pfc(dummy)
+    except RuntimeError:
+        pass
+
+test()
+
+# kate: syntax python;
+# kate: indent-mode python; space-indent on; indent-width 4; mixedindent off;
diff --git a/tests/57-basic-rawsysrc.tests b/tests/57-basic-rawsysrc.tests
new file mode 100644
index 0000000..fe71632
--- /dev/null
+++ b/tests/57-basic-rawsysrc.tests
@@ -0,0 +1,11 @@
+#
+# libseccomp regression test automation data
+#
+# Copyright (c) 2020 Cisco Systems, Inc. <pmoore2@cisco.com>
+# Author: Paul Moore <paul@paul-moore.com>
+#
+
+test type: basic
+
+# Test command
+57-basic-rawsysrc
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 629b910..1765eec 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -95,7 +95,8 @@ check_PROGRAMS = \
 	53-sim-binary_tree \
 	54-live-binary_tree \
 	55-basic-pfc_binary_tree \
-	56-basic-iterate_syscalls
+	56-basic-iterate_syscalls \
+	57-basic-rawsysrc
 
 EXTRA_DIST_TESTPYTHON = \
 	util.py \
@@ -210,7 +211,8 @@ EXTRA_DIST_TESTCFGS = \
 	53-sim-binary_tree.tests \
 	54-live-binary_tree.tests \
 	55-basic-pfc_binary_tree.tests \
-	56-basic-iterate_syscalls.tests
+	56-basic-iterate_syscalls.tests \
+	57-basic-rawsysrc.tests
 
 EXTRA_DIST_TESTSCRIPTS = \
 	38-basic-pfc_coverage.sh 38-basic-pfc_coverage.pfc \