URL:
https://github.com/freeipa/freeipa/pull/6048
Author: stanislavlevin
Title: #6048: seccomp profile: Default to ENOSYS instead of EPERM
Action: opened
PR body:
"""
This allows an application to detect whether the kernel supports
syscall or not. Previously, an error was unconditionally EPERM.
There are many issues about glibc failed with new syscalls in containerized
environments if their host run on old kernel.
More about motivation for ENOSYS over EPERM:
https://github.com/opencontainers/runc/issues/2151
https://github.com/opencontainers/runc/pull/2750
See about defaultErrnoRet introduction:
https://github.com/opencontainers/runtime-spec/pull/1087
Previously, FreeIPA profile was vendored from
https://github.com/containers/podman/blob/main/vendor/github.com/containe...
Now it is merged directly from
https://github.com/containers/common/blob/main/pkg/seccomp/seccomp.json
Fixes:
https://pagure.io/freeipa/issue/9008
Signed-off-by: Stanislav Levin <slev(a)altlinux.org>
"""
To pull the PR as Git branch:
git remote add ghfreeipa
https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6048/head:pr6048
git checkout pr6048