vendor runc v1.0.0-rc91

Signed-off-by: Akihiro Suda <akihiro.suda.cz@hco.ntt.co.jp>

vendor/github.com/opencontainers/runc/libcontainer/seccomp/seccomp_linux.go

@@ -4,6 +4,7 @@ package seccomp
 
 import (
 	"bufio"
+	"errors"
 	"fmt"
 	"os"
 	"strings"
@@ -34,12 +35,12 @@ const (
 // of the init until they join the namespace
 func InitSeccomp(config *configs.Seccomp) error {
 	if config == nil {
-		return fmt.Errorf("cannot initialize Seccomp - nil config passed")
+		return errors.New("cannot initialize Seccomp - nil config passed")
 	}
 
-	defaultAction, err := getAction(config.DefaultAction)
+	defaultAction, err := getAction(config.DefaultAction, nil)
 	if err != nil {
-		return fmt.Errorf("error initializing seccomp - invalid default action")
+		return errors.New("error initializing seccomp - invalid default action")
 	}
 
 	filter, err := libseccomp.NewFilter(defaultAction)
@@ -67,7 +68,7 @@ func InitSeccomp(config *configs.Seccomp) error {
 	// Add a rule for each syscall
 	for _, call := range config.Syscalls {
 		if call == nil {
-			return fmt.Errorf("encountered nil syscall while initializing Seccomp")
+			return errors.New("encountered nil syscall while initializing Seccomp")
 		}
 
 		if err = matchCall(filter, call); err != nil {
@@ -101,22 +102,28 @@ func IsEnabled() bool {
 }
 
 // Convert Libcontainer Action to Libseccomp ScmpAction
-func getAction(act configs.Action) (libseccomp.ScmpAction, error) {
+func getAction(act configs.Action, errnoRet *uint) (libseccomp.ScmpAction, error) {
 	switch act {
 	case configs.Kill:
 		return actKill, nil
 	case configs.Errno:
+		if errnoRet != nil {
+			return libseccomp.ActErrno.SetReturnCode(int16(*errnoRet)), nil
+		}
 		return actErrno, nil
 	case configs.Trap:
 		return actTrap, nil
 	case configs.Allow:
 		return actAllow, nil
 	case configs.Trace:
+		if errnoRet != nil {
+			return libseccomp.ActTrace.SetReturnCode(int16(*errnoRet)), nil
+		}
 		return actTrace, nil
 	case configs.Log:
 		return actLog, nil
 	default:
-		return libseccomp.ActInvalid, fmt.Errorf("invalid action, cannot use in rule")
+		return libseccomp.ActInvalid, errors.New("invalid action, cannot use in rule")
 	}
 }
 
@@ -138,7 +145,7 @@ func getOperator(op configs.Operator) (libseccomp.ScmpCompareOp, error) {
 	case configs.MaskEqualTo:
 		return libseccomp.CompareMaskedEqual, nil
 	default:
-		return libseccomp.CompareInvalid, fmt.Errorf("invalid operator, cannot use in rule")
+		return libseccomp.CompareInvalid, errors.New("invalid operator, cannot use in rule")
 	}
 }
 
@@ -147,7 +154,7 @@ func getCondition(arg *configs.Arg) (libseccomp.ScmpCondition, error) {
 	cond := libseccomp.ScmpCondition{}
 
 	if arg == nil {
-		return cond, fmt.Errorf("cannot convert nil to syscall condition")
+		return cond, errors.New("cannot convert nil to syscall condition")
 	}
 
 	op, err := getOperator(arg.Op)
@@ -161,11 +168,11 @@ func getCondition(arg *configs.Arg) (libseccomp.ScmpCondition, error) {
 // Add a rule to match a single syscall
 func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
 	if call == nil || filter == nil {
-		return fmt.Errorf("cannot use nil as syscall to block")
+		return errors.New("cannot use nil as syscall to block")
 	}
 
 	if len(call.Name) == 0 {
-		return fmt.Errorf("empty string is not a valid syscall")
+		return errors.New("empty string is not a valid syscall")
 	}
 
 	// If we can't resolve the syscall, assume it's not supported on this kernel
@@ -176,7 +183,7 @@ func matchCall(filter *libseccomp.ScmpFilter, call *configs.Syscall) error {
 	}
 
 	// Convert the call's action to the libseccomp equivalent
-	callAct, err := getAction(call.Action)
+	callAct, err := getAction(call.Action, call.ErrnoRet)
 	if err != nil {
 		return fmt.Errorf("action in seccomp profile is invalid: %s", err)
 	}