seccomp: fix go-specs for errnoRet

[giuseppe]

commit 3bfcde2 introduced errnoRet
for seccomp syscalls but the Go specs were not implemented correctly.

Signed-off-by: Giuseppe Scrivano [email protected]

[rhatdan]

@vbatts PTAL

[giuseppe]

@mrunalp PTAL

[thaJeztah]

Wondering; Was the pointer needed? (wondering because IIRC, omitempty also omits 0, in which case the default for an uint would be a meaningful value (no override)

[giuseppe]

I think we need the pointer here as specifying ErrnoRet = 0 has a different meaning (report success), while the default with ErrnoRet unspecified is EPERM.

I've done a test for omitempty and it seems pointers are omitted only if they are nil: https://play.golang.org/p/wnzK9EQNCOS

[thaJeztah]

Wouldn't ErrnoRet = 0 conflict with the purpose of LinuxSeccompAction ?

[giuseppe]

I think the combination SCMP_ACT_ERRNO and ErrnoRet = 0 is useful and it is different than SCMP_ACT_ALLOW, since the syscall is not performed but it is reported as successful.

[thaJeztah]

Ah, gotcha, yes, that makes sense

[cyphar]

Yeah, it's critical that it be clear whether errnoRet was unset (-EPERM) or 0 (a "success" but the syscall isn't run). As an aside, this trick is used for the relatively-new seccomp syscall emulation.

[thaJeztah]

I assumed it would only be used with > 0 values (0 meaning; don't change the default); thx!

[cyphar]

All good, it's definitely not the intended use for seccomp. ;)

[mrunalp]

LGTM

[cyphar]

LGTM.

[giuseppe]

@caniszczyk @crosbymichael @dqminh @hqhq @philips @tianon @vishh PTAL

[tianon]

LGTM