From 3d44b15e40c79c3187afeb73292aa1fc909a4463 Mon Sep 17 00:00:00 2001 From: Paul Moore Date: Thu, 2 Apr 2020 20:58:18 -0400 Subject: system: treat kernel/libc errors as ECANCELED It is likely a fools errand to try and provide kernel and libc errno guarantees across different architectures, kernels, and libc implementations so let's just punt on the problem and dump all of these errors into the ECANCELED bucket. Acked-by: Tom Hromatka Signed-off-by: Paul Moore --- src/api.c | 2 +- src/gen_pfc.c | 7 +++---- src/system.c | 14 ++++++++------ tests/11-basic-basic_errors.c | 4 ++-- 4 files changed, 14 insertions(+), 13 deletions(-) diff --git a/src/api.c b/src/api.c index 77dc290..961c3f8 100644 --- a/src/api.c +++ b/src/api.c @@ -610,7 +610,7 @@ API int seccomp_export_bpf(const scmp_filter_ctx ctx, int fd) rc = write(fd, program->blks, BPF_PGM_SIZE(program)); gen_bpf_release(program); if (rc < 0) - return -errno; + return -ECANCELED; return 0; } diff --git a/src/gen_pfc.c b/src/gen_pfc.c index 767845f..3c644c2 100644 --- a/src/gen_pfc.c +++ b/src/gen_pfc.c @@ -469,18 +469,17 @@ arch_return: */ int gen_pfc_generate(const struct db_filter_col *col, int fd) { - int rc = 0; int newfd; unsigned int iter; FILE *fds; newfd = dup(fd); if (newfd < 0) - return errno; + return -ECANCELED; fds = fdopen(newfd, "a"); if (fds == NULL) { close(newfd); - return errno; + return -ECANCELED; } /* generate the pfc */ @@ -501,5 +500,5 @@ int gen_pfc_generate(const struct db_filter_col *col, int fd) fflush(fds); fclose(fds); - return rc; + return 0; } diff --git a/src/system.c b/src/system.c index ce7cb43..d73aaef 100644 --- a/src/system.c +++ b/src/system.c @@ -328,7 +328,7 @@ int sys_filter_load(struct db_filter_col *col) rc = syscall(_nr_seccomp, SECCOMP_SET_MODE_FILTER, flgs, prgm); if (rc > 0 && col->attr.tsync_enable) /* always return -ESRCH if we fail to sync threads */ - errno = ESRCH; + rc = -ESRCH; if (rc > 0 && _support_seccomp_user_notif > 0) { /* return 0 on NEW_LISTENER success, but save the fd */ col->notify_fd = rc; @@ -340,8 +340,10 @@ int sys_filter_load(struct db_filter_col *col) filter_load_out: /* cleanup and return */ gen_bpf_release(prgm); + if (rc == -ESRCH) + return -ESRCH; if (rc < 0) - return -errno; + return -ECANCELED; return rc; } @@ -357,7 +359,7 @@ int sys_notify_alloc(struct seccomp_notif **req, if (sizes.seccomp_notif == 0 && sizes.seccomp_notif_resp == 0) { rc = syscall(__NR_seccomp, SECCOMP_GET_NOTIF_SIZES, 0, &sizes); if (rc < 0) - return -errno; + return -ECANCELED; } if (sizes.seccomp_notif == 0 || sizes.seccomp_notif_resp == 0) return -EFAULT; @@ -386,7 +388,7 @@ int sys_notify_receive(int fd, struct seccomp_notif *req) return -EOPNOTSUPP; if (ioctl(fd, SECCOMP_IOCTL_NOTIF_RECV, req) < 0) - return -errno; + return -ECANCELED; return 0; } @@ -397,7 +399,7 @@ int sys_notify_respond(int fd, struct seccomp_notif_resp *resp) return -EOPNOTSUPP; if (ioctl(fd, SECCOMP_IOCTL_NOTIF_SEND, resp) < 0) - return -errno; + return -ECANCELED; return 0; } @@ -407,6 +409,6 @@ int sys_notify_id_valid(int fd, uint64_t id) return -EOPNOTSUPP; if (ioctl(fd, SECCOMP_IOCTL_NOTIF_ID_VALID, &id) < 0) - return -errno; + return -ENOENT; return 0; } diff --git a/tests/11-basic-basic_errors.c b/tests/11-basic-basic_errors.c index a41b7b5..bb33f42 100644 --- a/tests/11-basic-basic_errors.c +++ b/tests/11-basic-basic_errors.c @@ -151,7 +151,7 @@ int main(int argc, char *argv[]) return -1; else { rc = seccomp_export_pfc(ctx, sysconf(_SC_OPEN_MAX) - 1); - if (rc != EBADF) + if (rc != -ECANCELED) return -1; } seccomp_release(ctx); @@ -167,7 +167,7 @@ int main(int argc, char *argv[]) return -1; else { rc = seccomp_export_bpf(ctx, sysconf(_SC_OPEN_MAX) - 1); - if (rc != -EBADF) + if (rc != -ECANCELED) return -1; } seccomp_release(ctx); -- cgit v1.2.1