seccomp_restrict_sxid: return ENOSYS for openat2()

We reject all openat2() calls because it is currently not possible to
inspect its flags parameter via seccomp.

Fallback code is more likely to look for ENOSYS than EPERM.

diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 03d039f778ff2c962bf1ea5ee2265c7944a368fb..ab24baaf9e65fb95f677836ed35745ece2d99430 100644 (file)
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -2079,10 +2079,12 @@ static int seccomp_restrict_sxid(scmp_filter_ctx seccomp, mode_t m) {
         /* The new openat2() system call can't be filtered sensibly, since it moves the flags parameter into
          * an indirect structure. Let's block it entirely for now. That should be a reasonably OK thing to do
          * for now, since openat2() is very new and code generally needs fallback logic anyway to be
-         * compatible with kernels that are not absolutely recent. */
+         * compatible with kernels that are not absolutely recent. We would normally return EPERM for a
+         * policy check, but this isn't strictly a policy check. Instead, we return ENOSYS to force programs
+         * to call open() or openat() instead. We can properly enforce policy for those functions. */
         r = seccomp_rule_add_exact(
                         seccomp,
-                        SCMP_ACT_ERRNO(EPERM),
+                        SCMP_ACT_ERRNO(ENOSYS),
                         SCMP_SYS(openat2),
                         0);
         if (r < 0)